ECS4120-28Fv2 ECS4120-28Fv2-I 28-Port Layer 2+ Gigabit Ethernet Switch CLI Reference Guide Software Release v1.2.2.24 www.edge-core.
CLI Reference Guide ECS4120-28Fv2 Gigabit Ethernet Switch L2+ Gigabit Ethernet Switch with 20 100/1000 SFP Ports, 4 10/100/1000 BASE-T (RJ-45) / 100/1000 SFP Combo Ports, 4 10 Gigabit SFP+ Ports , and DC Power Supply (Operating Temperature: 0°C – 50°C) ECS4120-28Fv2-I Gigabit Ethernet Switch L2+ Gigabit Ethernet Switch with 20 100/1000 SFP Ports, 4 10/100/1000 BASE-T (RJ-45) / 100/1000 SFP Combo Ports, 4 10 Gigabit SFP+ Ports, and DC Power Supply (Operating Temperature: -10°C – 65°C) E102019-CS-R04
How to Use This Guide This guide includes detailed information on the switch software, including how to operate and use the management functions of the switch. To deploy this switch effectively and ensure trouble-free operation, you should first read the relevant sections in this guide so that you are familiar with all of its software features. Who Should Read This This guide is for network administrators who are responsible for operating and Guide? maintaining network equipment.
How to Use This Guide For all safety information and regulatory statements, see the following documents: Quick Start Guide Safety and Regulatory Information Conventions The following conventions are used throughout this guide to show information: Note: Emphasizes important information or calls your attention to related features or instructions. Caution: Alerts you to a potential hazard that could cause loss of data, or damage the system or equipment.
How to Use This Guide Revision Date Change Description v1.2.2.
How to Use This Guide – 6 –
Contents Section I How to Use This Guide 3 Contents 7 Figures 41 Tables 43 Getting Started 49 1 Initial Switch Configuration Connecting to the Switch 51 51 Configuration Options 51 Connecting to the Console Port 52 Logging Onto the Command Line Interface 53 Setting Passwords 53 Remote Connections (Network Interface) 54 Configuring the Switch for Remote Management 54 Setting an IP Address 55 Enabling SNMP Management Access 61 Managing System Files 63 Upgrading the Operation Co
Contents Section II Command Line Interface 2 Using the Command Line Interface Accessing the CLI 75 77 77 Console Connection 77 Telnet Connection 77 Entering Commands 79 Keywords and Arguments 79 Minimum Abbreviation 79 Command Completion 79 Getting Help on Commands 80 Partial Keyword Lookup 82 Negating the Effect of Commands 82 Using Command History 82 Understanding Command Modes 82 Exec Commands 83 Configuration Commands 84 Command Line Processing 86 CLI Command Groups 87
Contents hostname 102 Banner Information 102 banner configure 103 banner configure company 104 banner configure dc-power-info 105 banner configure department 106 banner configure equipment-info 106 banner configure equipment-location 107 banner configure ip-lan 108 banner configure lp-number 108 banner configure manager-info 109 banner configure mux 110 banner configure note 110 show banner 111 System Status 112 show access-list tcam-utilization 112 show memory 113 show pr
Contents copy 128 delete 131 dir 132 whichboot 133 Automatic Code Upgrade Commands 134 upgrade opcode auto 134 upgrade opcode path 135 upgrade opcode reload 136 show upgrade 137 TFTP Configuration Commands 137 ip tftp retry 137 ip tftp timeout 138 show ip tftp 138 Line 139 line 140 databits 140 exec-timeout 141 login 142 parity 143 password 143 password-thresh 144 silent-time 145 speed 146 stopbits 146 timeout login response 147 disconnect 148 terminal 14
Contents clear log 155 show log 156 show logging 157 SMTP Alerts 158 logging sendmail 159 logging sendmail host 159 logging sendmail level 160 logging sendmail destination-email 160 logging sendmail source-email 161 show logging sendmail 161 Time 162 SNTP Commands 163 sntp client 163 sntp poll 164 sntp server 164 show sntp 165 NTP Commands 165 ntp authenticate 165 ntp authentication-key 166 ntp client 167 ntp server 168 show ntp 169 Manual Configuration Commands
Contents Switch Clustering 182 cluster 183 cluster commander 184 cluster ip-pool 185 cluster member 185 rcommand 186 show cluster 186 show cluster members 187 show cluster candidates 187 5 SNMP Commands 189 General SNMP Commands 191 snmp-server 191 snmp-server community 192 snmp-server contact 192 snmp-server location 193 show snmp 193 SNMP Target Host Commands 194 snmp-server enable traps 194 snmp-server host 196 snmp-server enable port-traps link-up-down 198 snmp-s
Contents show nlm oper-status 210 show snmp notify-filter 211 Additional Trap Commands 211 memory 211 process cpu 212 process cpu guard 213 6 Remote Monitoring Commands 215 rmon alarm 216 rmon event 217 rmon collection history 218 rmon collection rmon1 219 show rmon alarms 220 show rmon events 220 show rmon history 221 show rmon statistics 221 7 Flow Sampling Commands 223 sflow owner 224 sflow polling instance 225 sflow sampling instance 226 show sflow 227 8 User Aut
Contents radius-server key 239 radius-server encrypted-key 239 radius-server retransmit 240 radius-server timeout 240 show radius-server 241 TACACS+ Client 241 tacacs-server host 242 tacacs-server key 243 tacacs-server encrypted-key 243 tacacs-server port 244 tacacs-server retransmit 244 tacacs-server timeout 245 show tacacs-server 245 AAA 246 aaa accounting dot1x 246 aaa accounting exec 247 aaa accounting update 248 aaa accounting commands 249 aaa authorization exec 250
Contents Telnet Server 262 ip telnet max-sessions 262 ip telnet port 263 ip telnet server 263 telnet (client) 264 show ip telnet 265 Secure Shell 265 ip ssh authentication-retries 268 ip ssh server 268 ip ssh server-key size 269 ip ssh timeout 270 delete public-key 270 ip ssh crypto host-key generate 271 ip ssh crypto zeroize 271 ip ssh save host-key 272 show ip ssh 272 show public-key 273 show ssh 273 802.
Contents Information Display Commands show dot1x 283 283 Management IP Filter 286 management 286 show management 287 PPPoE Intermediate Agent 288 pppoe intermediate-agent 289 pppoe intermediate-agent format-type 290 pppoe intermediate-agent port-enable 290 pppoe intermediate-agent port-format-type 291 pppoe intermediate-agent port-format-type remote-id-delimiter 292 pppoe intermediate-agent trust 293 pppoe intermediate-agent vendor-tag strip 293 clear pppoe intermediate-agent stat
Contents network-access max-mac-count 313 network-access mode mac-authentication 313 network-access port-mac-filter 314 mac-authentication intrusion-action 315 mac-authentication max-mac-count 315 clear network-access 316 show network-access 316 show network-access mac-address-table 317 show network-access mac-filter 318 Web Authentication 318 web-auth login-attempts 319 web-auth quiet-period 320 web-auth session-timeout 320 web-auth system-auth-control 321 web-auth 321 web-au
Contents clear ip dhcp snooping database flash 338 ip dhcp snooping database flash 339 show ip dhcp snooping 339 show ip dhcp snooping binding 340 DHCPv6 Snooping 340 ipv6 dhcp snooping 341 ipv6 dhcp snooping option remote-id 343 ipv6 dhcp snooping option remote-id policy 344 ipv6 dhcp snooping vlan 345 ipv6 dhcp snooping max-binding 346 ipv6 dhcp snooping trust 346 clear ipv6 dhcp snooping binding 348 clear ipv6 dhcp snooping statistics 348 show ipv6 dhcp snooping 349 show ipv6
Contents ip arp inspection vlan 368 ip arp inspection limit 369 ip arp inspection trust 370 show ip arp inspection configuration 371 show ip arp inspection interface 371 show ip arp inspection log 372 show ip arp inspection statistics 372 show ip arp inspection vlan 372 Denial of Service Protection 373 dos-protection land 373 dos-protection tcp-null-scan 374 dos-protection tcp-syn-fin-scan 374 dos-protection tcp-xmas-scan 375 show dos-protection 375 Port-based Traffic Segmentati
Contents show ipv6 access-group MAC ACLs 393 394 access-list mac 394 permit, deny (MAC ACL) 395 mac access-group 397 show mac access-group 398 show mac access-list 398 ARP ACLs 399 access-list arp 399 permit, deny (ARP ACL) 400 show access-list arp 401 show arp access-list 401 ACL Information 402 clear access-list hardware counters 402 show access-group 403 show access-list 403 11 Interface Commands 407 Interface Configuration 409 interface 409 capabilities 409 descrip
Contents show interfaces history 425 show interfaces status 428 show interfaces switchport 429 Transceiver Threshold Configuration 431 transceiver-monitor 431 transceiver-threshold-auto 431 transceiver-threshold current 432 transceiver-threshold rx-power 433 transceiver-threshold temperature 434 transceiver-threshold tx-power 435 transceiver-threshold voltage 436 show interfaces transceiver 437 show interfaces transceiver-threshold 438 Cable Diagnostics 439 test cable-diagnostic
Contents 13 Port Mirroring Commands Local Port Mirroring Commands 459 459 port monitor 459 show port monitor 461 RSPAN Mirroring Commands 461 rspan source 463 rspan destination 464 rspan remote vlan 465 no rspan session 466 show rspan 467 14 Congestion Control Commands Rate Limit Commands 469 469 rate-limit 470 Storm Control Commands 471 switchport packet-rate 471 Automatic Traffic Control Commands 472 Threshold Commands 475 auto-traffic-control apply-timer 475 auto-traffic-
Contents ATC Display Commands 485 show auto-traffic-control 485 show auto-traffic-control interface 486 15 Loopback Detection Commands 487 loopback-detection 488 loopback-detection action 488 loopback-detection recover-time 489 loopback-detection transmit-interval 490 loopback detection trap 490 loopback-detection release 491 show loopback-detection 491 16 UniDirectional Link Detection Commands 493 udld detection-interval 493 udld message-interval 494 udld recovery 495 udld re
Contents show smart-pair 511 19 TWAMP Commands 513 twamp reflector 513 twamp reflector refwait 514 show twamp reflector 514 20 Spanning Tree Commands 515 spanning-tree 516 spanning-tree forward-time 517 spanning-tree hello-time 518 spanning-tree max-age 518 spanning-tree mode 519 spanning-tree pathcost method 520 spanning-tree priority 521 spanning-tree mst configuration 522 spanning-tree system-bpdu-flooding 522 spanning-tree transmission-limit 523 max-hops 523 mst priori
Contents spanning-tree root-guard 537 spanning-tree spanning-disabled 538 spanning-tree tc-prop-stop 538 spanning-tree loopback-detection release 539 spanning-tree protocol-migration 540 show spanning-tree 541 show spanning-tree mst configuration 543 21 ERPS Commands 545 erps 547 erps node-id 548 erps vlan-group 548 erps ring 549 erps instance 550 ring-port 551 exclusion-vlan 552 enable (ring) 552 enable (instance) 553 meg-level 553 control-vlan 554 rpl owner 555 rpl
Contents erps forced-switch 570 erps manual-switch 572 erps clear 574 clear erps statistics 574 show erps statistics 575 show erps 576 22 VLAN Commands 579 GVRP and Bridge Extension Commands 580 bridge-ext gvrp 580 garp timer 581 switchport forbidden vlan 582 switchport gvrp 582 show bridge-ext 583 show garp timer 584 show gvrp configuration 585 Editing VLAN Groups 586 vlan database 586 vlan 587 Configuring VLAN Interfaces 588 interface vlan 588 switchport acceptable
Contents switchport dot1q-tunnel service default match all 603 show dot1q-tunnel 604 Configuring L2PT Tunneling 605 l2protocol-tunnel tunnel-dmac 605 switchport l2protocol-tunnel 607 show l2protocol-tunnel 608 Configuring VLAN Translation 609 switchport vlan-translation 609 show vlan-translation 611 Configuring Protocol-based VLANs 611 protocol-vlan protocol-group (Configuring Groups) 612 protocol-vlan protocol-group (Configuring Interfaces) 613 show protocol-vlan protocol-group 61
Contents show queue mode 631 show queue weight 631 Priority Commands (Layer 3 and 4) 632 qos map phb-queue 633 qos map cos-dscp 634 qos map default-drop-precedence 635 qos map dscp-cos 636 qos map dscp-mutation 637 qos map ip-port-dscp 638 qos map ip-prec-dscp 639 qos map trust-mode 640 show qos map cos-dscp 641 show map default-drop-precedence 641 show map dscp-cos 642 show qos map dscp-mutation 643 show qos map ip-port-dscp 643 show qos map ip-prec-dscp 644 show qos map
Contents show policy-map 663 show policy-map interface 664 25 Multicast Filtering Commands 665 IGMP Snooping 665 ip igmp snooping 667 ip igmp snooping mrouter-forward-mode dynamic 668 ip igmp snooping priority 668 ip igmp snooping proxy-reporting 669 ip igmp snooping querier 669 ip igmp snooping router-alert-option-check 670 ip igmp snooping router-port-expire-time 671 ip igmp snooping tcn-flood 671 ip igmp snooping tcn-query-solicit 672 ip igmp snooping unregistered-data-flood 6
Contents IGMP Filtering and Throttling 691 ip igmp filter (Global Configuration) 692 ip igmp igmp-with-pppoe 692 ip igmp profile 693 permit, deny 693 range 694 ip igmp authentication 694 ip igmp filter (Interface Configuration) 696 ip igmp max-groups 697 ip igmp max-groups action 697 ip igmp query-drop 698 ip multicast-data-drop 699 show ip igmp authentication 699 show ip igmp filter 700 show ip igmp igmp-with-pppoe 701 show ip igmp profile 701 show ip igmp query-drop 702
Contents show ipv6 mld snooping 714 show ipv6 mld snooping group 715 show ipv6 mld snooping group source-list 715 show ipv6 mld snooping mrouter 716 show ipv6 mld snooping statistics 717 MLD Filtering and Throttling 718 ipv6 mld filter (Global Configuration) 718 ipv6 mld profile 719 permit, deny 720 range 720 ipv6 mld filter (Interface Configuration) 721 ipv6 mld max-groups 721 ipv6 mld max-groups action 722 ipv6 mld query-drop 723 ipv6 multicast-data-drop 723 show ipv6 mld fi
Contents clear mvr statistics 739 show mvr 740 show mvr associated-profile 741 show mvr interface 741 show mvr members 742 show mvr profile 744 show mvr statistics 744 MVR for IPv6 750 mvr6 associated-profile 751 mvr6 domain 751 mvr6 priority 752 mvr6 profile 753 mvr6 proxy-query-interval 754 mvr6 proxy-switching 754 mvr6 robustness-value 755 mvr6 source-port-mode dynamic 756 mvr6 upstream-source-ip 757 mvr6 vlan 758 mvr6 immediate-leave 758 mvr6 type 759 mvr6 vlan g
Contents lldp refresh-interval 777 lldp reinit-delay 778 lldp tx-delay 778 lldp admin-status 779 lldp basic-tlv management-ip-address 779 lldp basic-tlv management-ipv6-address 780 lldp basic-tlv port-description 781 lldp basic-tlv system-capabilities 782 lldp basic-tlv system-description 782 lldp basic-tlv system-name 783 lldp dot1-tlv proto-ident 783 lldp dot1-tlv proto-vid 784 lldp dot1-tlv pvid 784 lldp dot1-tlv vlan-name 785 lldp dot3-tlv link-agg 785 lldp dot3-tlv mac-ph
Contents ethernet cfm ais ma 805 ethernet cfm ais period 806 ethernet cfm ais suppress alarm 806 ethernet cfm domain 807 ethernet cfm enable 809 ma index name 810 ma index name-format 811 ethernet cfm mep 812 ethernet cfm port-enable 813 clear ethernet cfm ais mpid 813 show ethernet cfm configuration 814 show ethernet cfm md 816 show ethernet cfm ma 816 show ethernet cfm maintenance-points local 817 show ethernet cfm maintenance-points local detail mep 818 show ethernet cfm ma
Contents clear ethernet cfm linktrace-cache 834 show ethernet cfm linktrace-cache 834 Loopback Operations 835 ethernet cfm loopback Fault Generator Operations 835 836 mep fault-notify alarm-time 836 mep fault-notify lowest-priority 837 mep fault-notify reset-time 839 show ethernet cfm fault-notify-generator 839 Delay Measure Operations ethernet cfm delay-measure two-way 28 OAM Commands 840 840 843 efm oam 844 efm oam critical-link-event 844 efm oam link-monitor frame 845 efm oam
Contents clear dns cache 861 clear host 861 show dns 861 show dns cache 862 show hosts 862 30 DHCP Commands 865 DHCP Client 865 DHCP for IPv4 866 ip dhcp client class-id 866 ip dhcp restart client 867 DHCP for IPv6 868 ipv6 dhcp client rapid-commit vlan DHCP Relay Option 82 868 869 ip dhcp l2 relay 869 ip dhcp l3 relay 869 ip dhcp relay server 870 ip dhcp relay information option 871 ip dhcp relay information policy 874 show ip dhcp relay 874 DHCP Server 875 ip dhcp ex
Contents next-server 885 clear ip dhcp binding 886 show ip dhcp 887 show ip dhcp binding 887 show ip dhcp pool 887 DHCP Dynamic Provisioning 888 ip dhcp dynamic-provision 889 show ip dhcp dynamic-provision 890 ipv6 dhcp dynamic -provision 891 show ipv6 dhcp dynamic-provision 892 31 IP Interface Commands IPv4 Interface 893 893 Basic IPv4 Configuration 894 ip address 894 ip default-gateway 896 show ip interface 897 show ip traffic 898 traceroute 899 ping 900 ARP Configurat
Contents ipv6 mtu 915 show ipv6 interface 916 show ipv6 mtu 918 show ipv6 traffic 918 clear ipv6 traffic 923 ping6 923 traceroute6 924 Neighbor Discovery 926 ipv6 hop-limit 926 ipv6 neighbor 926 ipv6 nd dad attempts 928 ipv6 nd managed-config-flag 929 ipv6 nd ns-interval 930 ipv6 nd other-config-flag 931 ipv6 nd prefix 932 ipv6 nd ra interval 932 ipv6 nd ra lifetime 933 ipv6 nd ra router-preference 933 ipv6 nd ra suppress 934 ipv6 nd raguard 934 ipv6 nd reachable-tim
Contents show ipv6 nd snooping binding 945 show ipv6 nd snooping prefix 946 30 IP Routing Commands Global Routing Configuration Section III 947 947 IPv4 Commands 948 ip route 948 show ip route 949 show ip route database 950 show ip route summary 950 IPv6 Commands 951 ipv6 route 951 show ipv6 route 952 Appendices 955 A Troubleshooting 957 Problems Accessing the Management Interface 957 Using System Logs 958 B License Information 959 The GNU General Public License 959 Gloss
Contents – 40 –
Figures Figure 1: Storm Control by Limiting the Traffic Rate 474 Figure 2: Storm Control by Shutting Down a Port 475 Figure 3: Sub-ring with Virtual Channel 567 Figure 4: Sub-ring without Virtual Channel 568 Figure 5: Configuring VLAN Trunking 594 Figure 6: Mapping QinQ Service VLAN to Customer VLAN 601 Figure 7: Configuring VLAN Translation 610 – 41 –
Figures – 42 –
Tables Table 1: Options 60, 66 and 67 Statements 70 Table 2: Options 55 and 124 Statements 70 Table 3: General Command Modes 83 Table 4: Configuration Command Modes 85 Table 5: Keystroke Commands 86 Table 6: Command Group Index 87 Table 7: General Commands 91 Table 8: System Management Commands 101 Table 9: Device Designation Commands 101 Table 10: Banner Commands 102 Table 11: System Status Commands 112 Table 12: show process cpu guard - display description 115 Table 13: show syst
Tables Table 30: show snmp engine-id - display description 205 Table 31: show snmp group - display description 206 Table 32: show snmp user - display description 207 Table 33: show snmp view - display description 208 Table 34: RMON Commands 215 Table 35: sFlow Commands 223 Table 36: Authentication Commands 229 Table 37: User Access Commands 230 Table 38: Default Login Settings 232 Table 39: Authentication Sequence Commands 234 Table 40: RADIUS Client Commands 236 Table 41: TACACS+ Cli
Tables Table 65: DoS Protection Commands 373 Table 66: Commands for Configuring Traffic Segmentation 376 Table 67: Traffic Segmentation Forwarding 377 Table 68: Access Control List Commands 381 Table 69: IPv4 ACL Commands 381 Table 70: IPv6 ACL Commands 388 Table 71: MAC ACL Commands 394 Table 72: ARP ACL Commands 399 Table 73: ACL Information Commands 402 Table 74: Interface Commands 407 Table 75: show interfaces counters - display description 422 Table 76: show interfaces switchport
Tables Table 100: show erps statistics - detailed display description 576 Table 101: show erps r ing - summary display description 577 Table 102: VLAN Commands 579 Table 103: GVRP and Bridge Extension Commands 580 Table 104: show bridge-ext - display description 583 Table 105: Commands for Editing VLAN Groups 586 Table 106: Commands for Configuring VLAN Interfaces 588 Table 107: Commands for Displaying VLAN Information 595 Table 108: 802.
Tables Table 135: Multicast VLAN Registration for IPv4 Commands 726 Table 136: show mvr - display description 740 Table 137: show mvr interface - display description 742 Table 138: show mvr members - display description 744 Table 139: show mvr statistics input - display description 745 Table 140: show mvr statistics output - display description 746 Table 141: show mvr statistics query - display description 747 Table 142: show mvr statistics summary interface - display description 747 Table
Tables Table 170: Options 55 and 124 Statements 867 Table 171: DHCP Relay Option 82 Commands 869 Table 172: DHCP Server Commands 875 Table 173: DHCP Client Commands 888 Table 174: IP Interface Commands 893 Table 175: IPv4 Interface Commands 893 Table 176: Basic IP Configuration Commands 894 Table 177: Address Resolution Protocol Commands 901 Table 178: IPv6 Configuration Commands 905 Table 179: show ipv6 interface - display description 917 Table 180: show ipv6 mtu - display description
Section I Getting Started This section provides an overview of the switch, and introduces some basic concepts about network switches. It also describes the basic settings required to access the management interface.
Section I | Getting Started – 50 –
1 Initial Switch Configuration This chapter includes information on connecting to the switch and basic configuration procedures. Connecting to the Switch The switch includes a built-in network management agent. The agent offers a variety of management options, including SNMP, RMON and a web-based interface. A PC may also be connected directly to the switch for configuration and monitoring via a command line interface (CLI). Note: An IPv4 address for this switch is obtained via DHCP by default.
Chapter 1 | Initial Switch Configuration Connecting to the Switch ◆ Control port access through IEEE 802.1X security or static address filtering ◆ Filter packets using Access Control Lists (ACLs) ◆ Configure up to 4094 IEEE 802.
Chapter 1 | Initial Switch Configuration Connecting to the Switch 4. Power on the switch. After the system completes the boot cycle, the logon screen appears. Logging Onto the The CLI program provides two different command levels — normal access level Command Line (Normal Exec) and privileged access level (Privileged Exec).
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management Username: admin Password: CLI session with the ECS4120-28Fv2-I* is opened. To end the CLI session, enter [Exit]. Console#configure Console(config)#username guest password 0 [password] Console(config)#username admin password 0 [password] Console(config)# * This manual covers the ECS4120-28Fv2 and ECS4120-28Fv2-I Gigabit Ethernet switches.
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management Setting an IP Address You must establish IP address information for the switch to obtain management access through the network. This can be done in either of the following ways: ◆ Manual — You have to input the information, including IP address and subnet mask. If your management station is not in the same IP subnet as the switch, you will also need to specify the default gateway router.
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management 4. To set the IP address of the default gateway for the network to which the switch belongs, type “ip default-gateway gateway,” where “gateway” is the IP address of the default gateway. Press . Console(config)#interface vlan 1 Console(config-if)#ip address 192.168.1.5 255.255.255.0 Console(config-if)#exit Console(config)#ip default-gateway 192.168.1.
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management ff02::2 ff02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 1.
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management Console(config-if)#ipv6 address 2001:DB8:2222:7272::/64 Console(config-if)#exit Console(config)#ipv6 default-gateway 2001:DB8:2222:7272::254 Console(config)end Console#show ipv6 interface VLAN 1 is up IPv6 is enabled.
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management If the “bootp” or “dhcp” option is saved to the startup-config file (step 6), then the switch will start broadcasting service requests as soon as it is powered on. To automatically configure the switch by communicating with BOOTP or DHCP address allocation servers on the network, complete the following steps: 1. From the Global Configuration mode prompt, type “interface vlan 1” to access the interface-configuration mode.
Chapter 1 | Initial Switch Configuration Configuring the Switch for Remote Management Console(config)#interface vlan 1 Console(config-if)#ipv6 enable Console(config-if)#end Console#show ipv6 interface VLAN 1 is up IPv6 is enabled Link-local address: FE80::260:3EFF:FE11:6700/64 Global unicast address(es): 2001:DB8:2222:7272::/64, subnet is 2001:DB8:2222:7272::/64 Joined group address(es): FF02::1:FF00:0 FF02::1:FF11:6700 FF02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 1.
Chapter 1 | Initial Switch Configuration Enabling SNMP Management Access Joined group address(es): ff02::1:ff00:fd ff02::1:ff11:6700 ff02::1 IPv6 link MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 3.
Chapter 1 | Initial Switch Configuration Enabling SNMP Management Access To configure a community string, complete the following steps: 1. From the Privileged Exec level global configuration mode prompt, type “snmpserver community string mode,” where “string” is the community access string and “mode” is rw (read/write) or ro (read only). Press . (Note that the default mode is read only.) 2.
Chapter 1 | Initial Switch Configuration Managing System Files another view that includes the IEEE 802.1d bridge MIB. It assigns these respective read and read/write views to a group call “r&d” and specifies group authentication via MD5 or SHA. In the last step, it assigns a v3 user to this group, indicating that MD5 will be used for authentication, provides the password “greenpeace” for authentication, and the password “einstien” for encryption.
Chapter 1 | Initial Switch Configuration Managing System Files Due to the size limit of the flash memory, the switch supports only two operation code files. However, you can have as many configuration files as available flash memory space allows. The switch has a total of 256 MB of flash memory for system files. In the system flash memory, one file of each type must be set as the start-up file.
Chapter 1 | Initial Switch Configuration Managing System Files Saving or Restoring Configuration commands only modify the running configuration file and are not Configuration saved when the switch is rebooted. To save all your configuration changes in Settings nonvolatile storage, you must copy the running configuration file to the start-up configuration file using the “copy” command. New startup configuration files must have a name specified.
Chapter 1 | Initial Switch Configuration Automatic Installation of Operation Code and Configuration Settings Flash programming started. Flash programming completed. Success. Console# Automatic Installation of Operation Code and Configuration Settings Downloading Automatic Operation Code Upgrade can automatically download an operation Operation Code from code file when a file newer than the currently installed one is discovered on the file a File Server server.
Chapter 1 | Initial Switch Configuration Automatic Installation of Operation Code and Configuration Settings the stored file name as being equal. A notable exception in the list of casesensitive Unix-like operating systems is Mac OS X, which by default is caseinsensitive. Please check the documentation for your server’s operating system if you are unsure of its file system’s behavior.
Chapter 1 | Initial Switch Configuration Automatic Installation of Operation Code and Configuration Settings This shows how to specify an FTP server where new code is stored. Console(config)#upgrade opcode path ftp://admin:billy@192.168.0.1/sm24/ Console(config)# 2. Set the switch to automatically reboot and load the new code after the opcode upgrade is completed. Console(config)#upgrade opcode reload Console(config)# 3.
Chapter 1 | Initial Switch Configuration Automatic Installation of Operation Code and Configuration Settings DHCP client Identifier (Option 60) is used by DHCP clients to specify their unique identifier. The client identifier is optional and can be specified while configuring DHCP on the primary network interface. DHCP Option 60 is disabled by default. The general framework for this DHCP option is set out in RFC 2132 (Option 60).
Chapter 1 | Initial Switch Configuration Automatic Installation of Operation Code and Configuration Settings ◆ If the switch does not receive a DHCP(v6) response prior to completing the bootup process, it will continue to send a DHCP(v6) client request once a minute. These requests will only be terminated if the switch’s address is manually configured, but will resume if the address mode is set back to DHCP(v6).
Chapter 1 | Initial Switch Configuration Setting the System Clock server-name "Server1"; Server-identifier 192.168.255.250; #option 66, 67 option space dynamicProvision code width 1 length 1 hash size 2; option dynamicProvision.tftp-server-name code 66 = text; option dynamicProvision.bootfile-name code 67 = text; subnet 192.168.255.0 netmask 255.255.255.0 { range 192.168.255.160 192.168.255.200; option routers 192.168.255.101; option tftp-server-name "192.168.255.
Chapter 1 | Initial Switch Configuration Setting the System Clock Setting the Time To manually set the clock to 14:11:36, April 1st, 2013, enter this command. Manually Console#calendar set 14 11 36 1 April 2013 Console# To set the time zone, enter a command similar to the following. Console(config)#clock timezone Japan hours 8 after-UTC Console(config)# To set the time shift for summer time, enter a command similar to the following.
Chapter 1 | Initial Switch Configuration Setting the System Clock Configuring NTP Requesting the time from a an NTP server is the most secure method. You can enable NTP authentication to ensure that reliable updates are received from only authorized NTP servers. The authentication keys and their associated key number must be centrally managed and manually distributed to NTP servers and clients. The key numbers and key values must match on both the server and client.
Chapter 1 | Initial Switch Configuration Setting the System Clock – 74 –
Section II Command Line Interface This section provides a detailed description of the Command Line Interface, along with examples for all of the commands.
Section II | Command Line Interface ◆ “TWAMP Commands” on page 513 ◆ “Spanning Tree Commands” on page 515 ◆ “ERPS Commands” on page 545 ◆ “VLAN Commands” on page 579 ◆ “Class of Service Commands” on page 627 ◆ “Quality of Service Commands” on page 647 ◆ “Multicast Filtering Commands” on page 665 ◆ “LLDP Commands” on page 773 ◆ “CFM Commands” on page 801 ◆ “OAM Commands” on page 843 ◆ “Domain Name Service Commands” on page 855 ◆ “DHCP Commands” on page 865 ◆ “IP Interface Commands”
2 Using the Command Line Interface This chapter describes how to use the Command Line Interface (CLI). Accessing the CLI When accessing the management interface for the switch over a direct connection to the server’s console port, or via a Telnet or Secure Shell connection (SSH), the switch can be managed by entering command keywords and parameters at the prompt. Using the switch's command-line interface (CLI) is very similar to entering commands on a UNIX system.
Chapter 2 | Using the Command Line Interface Accessing the CLI portion. For example, the IP address assigned to this switch, 10.1.0.1, consists of a network portion (10.1.0) and a host portion (1). Note: The IP address for this switch is obtained via DHCP by default. To access the switch through a Telnet session, you must first set the IP address for the Master unit, and set the default gateway if you are managing the switch from a different IP subnet.
Chapter 2 | Using the Command Line Interface Entering Commands Entering Commands This section describes how to enter CLI commands. Keywords and A CLI command is a series of keywords and arguments. Keywords identify a Arguments command, and arguments specify configuration parameters. For example, in the command “show interfaces status ethernet 1/5,” show interfaces and status are keywords, ethernet is an argument that specifies the interface type, and 1/5 specifies the unit/port.
Chapter 2 | Using the Command Line Interface Entering Commands Getting Help on You can display a brief description of the help system by entering the help Commands command. You can also display command syntax by using the “?” character to list keywords or parameters. Showing Commands If you enter a “?” at the command prompt, the system will display the first level of keywords or command groups. You can also display a list of valid keywords for a specific command.
Chapter 2 | Using the Command Line Interface Entering Commands power power-save pppoe privilege process protocol-vlan public-key qos queue radius-server reload rmon rspan running-config sflow snmp snmp-server sntp spanning-tree ssh startup-config subnet-vlan system tacacs-server tech-support time-range traffic-segmentation udld upgrade users version vlan vlan-translation voice watchdog web-auth Console#show Shows power Shows the power saving information Displays PPPoE configuration Shows current privilege
Chapter 2 | Using the Command Line Interface Entering Commands Partial Keyword If you terminate a partial keyword with a question mark, alternatives that match the Lookup initial letters are provided. (Remember not to leave a space between the command and question mark.) For example “s?” shows all the keywords starting with “s.
Chapter 2 | Using the Command Line Interface Entering Commands Table 3: General Command Modes Class Mode Exec Normal Privileged Configuration Global* Access Control List CFM Class Map ERPS IGMP Profile Interface Line Multiple Spanning Tree Policy Map Time Range VLAN Database * You must be in Privileged Exec mode to access the Global configuration mode. You must be in Global Configuration mode to access any of the other configuration modes.
Chapter 2 | Using the Command Line Interface Entering Commands Configuration Configuration commands are privileged level commands used to modify switch Commands settings. These commands modify the running configuration only and are not saved when the switch is rebooted. To store the running configuration in nonvolatile storage, use the copy running-config startup-config command.
Chapter 2 | Using the Command Line Interface Entering Commands To enter the Global Configuration mode, enter the command configure in Privileged Exec mode. The system prompt will change to “Console(config)#” which gives you access privilege to all Global Configuration commands.
Chapter 2 | Using the Command Line Interface Entering Commands For example, you can use the following commands to enter interface configuration mode, and then return to Privileged Exec mode Console(config)#interface ethernet 1/5 . . . Console(config-if)#end Console# Command Line Commands are not case sensitive. You can abbreviate commands and parameters Processing as long as they contain enough letters to differentiate them from any other currently available commands or parameters.
Chapter 2 | Using the Command Line Interface CLI Command Groups CLI Command Groups The system commands can be broken down into the functional groups shown below.
Chapter 2 | Using the Command Line Interface CLI Command Groups Table 6: Command Group Index (Continued) Command Group Description Page Spanning Tree Configures Spanning Tree settings for the switch 515 ERPS Configures Ethernet Ring Protection Switching for increased availability of Ethernet rings commonly used in service provider networks 545 VLANs Configures VLAN settings, and defines port membership for VLAN groups; also enables or configures protocol VLANs, voice VLANs, and QinQ tunneling 57
Chapter 2 | Using the Command Line Interface CLI Command Groups NE (Normal Exec) PE (Privileged Exec) PM (Policy Map Configuration) TR (Time Range Configuration) VC (VLAN Database Configuration) – 89 –
Chapter 2 | Using the Command Line Interface CLI Command Groups – 90 –
3 General Commands The general commands are used to control the command access mode, configuration mode, and other basic functions.
Chapter 3 | General Commands Command Mode Global Configuration Command Usage This command and the hostname command can be used to set the command line prompt as shown in the example below. Using the no form of either command will restore the default command line prompt. Example Console(config)#prompt RD2 RD2(config)# reload (Global This command restarts the system at a specified time, after a specified delay, or at a Configuration) periodic interval.
Chapter 3 | General Commands reload regularly A specific time of the day at which to always reload the switch. hour - The hour at which to reload. (Range: 0-23) minute - The minute at which to reload. (Range: 0-59) period - Indicates to reload regularly only on the specified days. daily - everyday weekly day-of-week - a specified day of the week at which to reload regularly. (Range: monday ... saturday) monthly day-of-month - a specified day of the month at which to reload regularly.
Chapter 3 | General Commands Syntax enable [level] level - Privilege level to log into the device. The device has two predefined privilege levels: 0: Normal Exec, 15: Privileged Exec. Enter level 15 to access Privileged Exec mode. Default Setting Level 15 Command Mode Normal Exec Command Usage ◆ “super” is the default password required to change the command mode from Normal Exec to Privileged Exec. (To set this password, see the enable password command.
Chapter 3 | General Commands *************************************************************** WARNING - MONITORED ACTIONS AND ACCESSES Station's information: Floor / Row / Rack / Sub-Rack / / / DC power supply: Power Source A: Floor / Row / Rack / Electrical circuit / / / Number of LP: Position MUX: IP LAN: Note: MOTD: *************************************************************** Username: show history This command shows the contents of the command history buffer.
Chapter 3 | General Commands The ! command repeats commands from the Execution command history buffer when you are in Normal Exec or Privileged Exec Mode, and commands from the Configuration command history buffer when you are in any of the configuration modes. In this example, the !2 command repeats the second command in the Execution history buffer (config). Console#!2 Console#config Console(config)# configure This command activates Global Configuration mode.
Chapter 3 | General Commands Example Console#disable Console> Related Commands enable (93) reload (Privileged Exec) This command restarts the system. Note: When the system is restarted, it will always run the Power-On Self-Test. It will also retain all configuration information stored in non-volatile memory by the copy running-config startup-config command. Default Setting None Command Mode Privileged Exec Command Usage This command resets the entire system.
Chapter 3 | General Commands end This command returns to Privileged Exec mode. Default Setting None Command Mode Global Configuration, Access Control List Configuration, CFM Configuration, Class Map Configuration, ERPS Configuration, IGMP Profile Configuration, Interface, Configuration, Line Configuration, Multiple Spanning Tree Configuration, Policy Map Configuration, Time Range Configuration, and VLAN Database Configuration.
Chapter 3 | General Commands Number of LP: Position MUX: IP LAN: Note: MOTD: *************************************************************** – 99 –
Chapter 3 | General Commands – 100 –
4 System Management Commands The system management commands are used to control system logs, passwords, user names, management options, and display or configure a variety of other system information.
Chapter 4 | System Management Commands Banner Information hostname This command specifies or modifies the host name for this device. Use the no form to restore the default host name. Syntax hostname name no hostname name - The name of this host. (Maximum length: 255 characters) Default Setting None Command Mode Global Configuration Command Usage ◆ The host name specified by this command is displayed by the show system command and on the Show > System web page.
Chapter 4 | System Management Commands Banner Information Table 10: Banner Commands (Continued) Command Function Mode banner configure department Configures the Department information that is displayed by banner GC banner configure equipment-info Configures the Equipment information that is displayed by GC banner banner configure equipment-location Configures the Equipment Location information that is displayed by banner banner configure ip-lan Configures the IP and LAN information that is displ
Chapter 4 | System Management Commands Banner Information Example Console(config)#banner configure Company: Edgecore Networks Responsible department: R&D Dept Name and telephone to Contact the management people Manager1 name: Sr. Network Admin phone number: 123-555-1212 Manager2 name: Jr. Network Admin phone number: 123-555-1213 Manager3 name: Night-shift Net Admin / Janitor phone number: 123-555-1214 The physical location of the equipment. City and street address: 12 Straight St.
Chapter 4 | System Management Commands Banner Information Example Console(config)#banner configure company Big-Ben Console(config)# banner configure This command is use to configure DC power information displayed in the banner. dc-power-info Use the no form to restore the default setting. Syntax banner configure dc-power-info floor floor-id row row-id rack rack-id electrical-circuit ec-id no banner configure dc-power-info [ row | rack | electrical-circuit] floor floor-id - The floor number.
Chapter 4 | System Management Commands Banner Information banner configure This command is used to configure the department information displayed in the department banner. Use the no form to restore the default setting. Syntax banner configure department dept-name no banner configure department dept-name - The name of the department. (Maximum length: 32 characters) Default Setting None Command Mode Global Configuration Command Usage Input strings cannot contain spaces.
Chapter 4 | System Management Commands Banner Information Default Setting None Command Mode Global Configuration Command Usage Input strings cannot contain spaces. The banner configure equipment-info command interprets spaces as data input boundaries. The use of underscores ( _ ) or other unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity.
Chapter 4 | System Management Commands Banner Information banner configure This command is used to configure the device IP address and subnet mask ip-lan information displayed in the banner. Use the no form to restore the default setting. Syntax banner configure ip-lan ip-mask no banner configure ip-lan ip-mask - The IP address and subnet mask of the device. (Maximum length: 32 characters) Default Setting None Command Mode Global Configuration Command Usage Input strings cannot contain spaces.
Chapter 4 | System Management Commands Banner Information Example Console(config)#banner configure lp-number 12 Console(config)# banner configure This command is used to configure the manager contact information displayed in manager-info the banner. Use the no form to restore the default setting.
Chapter 4 | System Management Commands Banner Information banner configure mux This command is used to configure the mux information displayed in the banner. Use the no form to restore the default setting. Syntax banner configure mux muxinfo no banner configure mux muxinfo - The circuit and PVC to which the switch is connected. (Maximum length: 32 characters) Default Setting None Command Mode Global Configuration Command Usage Input strings cannot contain spaces.
Chapter 4 | System Management Commands Banner Information unobtrusive non-letter characters is suggested for situations where white space is necessary for clarity. Example Console(config)#banner configure note !!!!!ROUTINE_MAINTENANCE_firmwareupgrade_0100-0500_GMT-0500_20071022!!!!!_20min_network_impact_expected Console(config)# show banner This command displays all banner information.
Chapter 4 | System Management Commands System Status System Status This section describes commands used to display system information.
Chapter 4 | System Management Commands System Status Example Console#show access-list tcam-utilization Pool capability code: AM - MAC ACL, A4 - IPv4 ACL, A6S - IPv6 Standard ACL, A6E - IPv6 extended ACL, DM - MAC diffServ, D4 - IPv4 diffServ, D6S - IPv6 standard diffServ, D6E - IPv6 extended diffServ, AEM - Egress MAC ACL, AE4 - Egress IPv4 ACL, AE6S - Egress IPv6 standard ACL, AE6E - Egress IPv6 extended ACL, DEM - Egress MAC diffServ, DE4 - Egress IPv4 diffServ, DE6S - Egress IPv6 standard diffServ, DE6E
Chapter 4 | System Management Commands System Status show process cpu This command shows the CPU utilization parameters, alarm status, and alarm thresholds.
Chapter 4 | System Management Commands System Status Table 12: show process cpu guard - display description Field Description CPU Guard Configuration Status Shows if CPU Guard has been enabled. High Watermark If the percentage of CPU usage time is higher than the highwatermark,the switch stops packet flow to the CPU (allowing it to catch up with packets already in the buffer) until usage time falls below the low watermark.
Chapter 4 | System Management Commands System Status DNS_PROXY_TD DNS_RESOL_TD DRIVER_GROUP DRIVER_GROUP_DI DRIVER_GROUP_TX ERPS_GROUP GVRP_GROUP HTTP_TD IML_TX KEYGEN_TD L2MCAST_GROUP L2MUX_GROUP L2_L4_PROCESS L4_GROUP LACP_GROUP NETACCESS_GROUP NETACCESS_NMTR NETCFG_GROUP NETCFG_PROC NIC NMTRDRV NSM_GROUP NSM_TD OAM_GROUP OAM_TXLBK_TD PPPOE_IA_GROUP RADIUS SFLOW_PROC SFLOW_TD SNMP_GROUP SNMP_TD SSH_GROUP SSH_TD STA_GROUP STKCTRL_GROUP STKTPLG_GROUP STKTPLG_PROC SWCTRL_GROUP SWCTRL_TD SWDRV_MONITOR SYSDRV
Chapter 4 | System Management Commands System Status show running-config This command displays the configuration information currently in use. Syntax show running-config [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 4 | System Management Commands System Status Console#show running-config Building startup configuration. Please wait... !00 !01_00-e0-0c-00-00-fd_00 ! snmp-server community public ro snmp-server community private rw ! enable password 7 1b3231655cebb7a1f783eddf27d254ca ! vlan database VLAN 1 name DefaultVlan media ethernet ! spanning-tree mst configuration ! interface vlan 1 ip address dhcp . . .
Chapter 4 | System Management Commands System Status ◆ This command displays settings for key command modes. Each mode group is separated by “!” symbols, and includes the configuration mode command, and corresponding commands.
Chapter 4 | System Management Commands System Status Web Server Port Web Secure Server Web Secure Server Port Telnet Server Telnet Server Port Jumbo Frame System Fan: Force Fan Speed Full Unit 1 Fan 1: Ok : : : : : : 80 Enabled 443 Enabled 23 Disabled : Disabled Fan 2: Ok System Temperature: Unit 1 Temperature 1: 35 degrees Unit 1 Main Power Status Console# : Up Table 13: show system – display description Parameter Description System Description Brief description of device type.
Chapter 4 | System Management Commands System Status Command Usage This command generates a long list of information including detailed system and interface settings. It is therefore advisable to direct the output to a file using any suitable output capture function provided with your terminal emulation program. Example Console#show tech-support dir: File Name Type Startup Modified Time Size (bytes) ------------------------------ ------- ------- ------------------- ---------Unit 1: runtime.
Chapter 4 | System Management Commands System Status Example Console#show users User Name Accounts: User Name Privilege -------------------- ---------admin 15 guest 0 Online Users: Line Session ID --------- ---------*Console 0 Telnet 1 Web Online Line ---------HTTP Public-Key --------------None None User Name Idle Time (h:m:s) Remote IP Addr -------------------- ----------------- ----------------admin admin 0:00:00 0:00:04 192.168.2.
Chapter 4 | System Management Commands System Status Table 14: show version – display description (Continued) Parameter Description Loader Version Version number of loader code. Linux Kernel Version Version number of Linux kernel. Operation Code Version Version number of runtime code. show watchdog This command shows if watchdog debugging is enabled.
Chapter 4 | System Management Commands Fan Control Fan Control This section describes the command used to force fan speed. Table 15: Fan Control Commands Command Function Mode fan-speed force-full Forces fans to full speed GC show system Shows if full fan speed is enabled NE, PE fan-speed force-full This command sets all fans to full speed. Use the no form to reset the fans to normal operating speed.
Chapter 4 | System Management Commands File Management frame-size - the size in bytes (Range: 1500-9216) Default Setting Disabled Command Mode Global Configuration Command Usage ◆ This switch provides more efficient throughput for large sequential data transfers by supporting Layer 2 jumbo frames on Gigabit and 10 Gigabit Ethernet ports or trunks of up to 10240 bytes. Compared to standard Ethernet frames that run only up to 1.
Chapter 4 | System Management Commands File Management When downloading runtime code, the destination file name can be specified to replace the current image, or the file can be first downloaded using a different name from the current runtime code file, and then the new file set as the startup file. Saving or Restoring Configuration Settings Configuration settings can be uploaded and downloaded to and from an FTP/TFTP server. The configuration file can be later downloaded to restore switch settings.
Chapter 4 | System Management Commands File Management General Commands boot system This command specifies the file or image used to start up the system. Syntax boot system {boot-rom | config | opcode}: filename boot-rom* - Boot ROM. config* - Configuration file. opcode* - Run-time operation code. filename - Name of configuration file or code image. * The colon (:) is required. Default Setting None Command Mode Global Configuration Command Usage ◆ A colon (:) is required after the specified file type.
Chapter 4 | System Management Commands File Management copy This command moves (upload/download) a code image or configuration file between the switch’s flash memory and an FTP/TFTP server or a USB memory stick. When you save the system code or configuration settings to a file on an FTP/TFTP server, that file can later be downloaded to the switch to restore system operation. The success of the file transfer depends on the accessibility of the FTP/TFTP server and the quality of the network connection.
Chapter 4 | System Management Commands File Management ◆ The destination file name should not contain slashes (\ or /), and the maximum length for file names is 32 characters for files on the switch or 127 characters for files on the server. (Valid characters: A-Z, a-z, 0-9, “.”, “-”) ◆ The switch supports only two operation code files, but the maximum number of user-defined configuration files is 16. ◆ You can use “Factory_Default_Config.
Chapter 4 | System Management Commands File Management Destination file name: startup2.cfg Success. Console# The following example shows how to copy the running configuration to a startup file. Console#copy running-config file destination file name: startup2,cfg Flash Programming started. Flash Programming completed. Success. Console# The following example shows how to download a configuration file: Console#copy tftp startup-config TFTP server ip address: 10.1.0.
Chapter 4 | System Management Commands File Management Console# This example shows how to copy a file to an FTP server. Console#copy ftp file FTP server IP address: 192.168.2.243 User[anonymous]: admin Password[]: ***** Choose file type: 1. config: 2. opcode: 2 Source file name: ecs4120-run-v1.0.2.43.bix Destination file name: ecs4120-run-v1.0.2.43.bix Flash Programming started. Flash Programming completed. Success. Console# This example shows how to copy a banner text file from a TFTP server.
Chapter 4 | System Management Commands File Management Default Setting None Command Mode Privileged Exec Command Usage ◆ If the file type is used for system startup, then this file cannot be deleted. ◆ “Factory_Default_Config.cfg” cannot be deleted. ◆ A colon (:) is required after the specified unit number. ◆ If the public key type is not specified, then both DSA and RSA keys will be deleted. Example This example shows how to delete the test2.cfg configuration file from flash memory.
Chapter 4 | System Management Commands File Management Command Usage ◆ If you enter the command dir without any parameters, the system displays all files. ◆ A colon (:) is required after the specified unit number. File information is shown below: Table 18: File Directory Information Column Heading Description File Name The name of the file. Type File types: Boot-Rom, Operation Code, and Config file. Startup Shows if this file is used when the system is started.
Chapter 4 | System Management Commands File Management Example This example shows the information displayed by the whichboot command. See the table under the dir command for a description of the file information displayed by this command. Console#whichboot File Name -----------------------------Unit 1: ecs4120-run-v1.0.2.43.bix startup1.
Chapter 4 | System Management Commands File Management ◆ Any changes made to the default setting can be displayed with the show running-config or show startup-config commands. Example Console(config)#upgrade opcode auto Console(config)#upgrade opcode path tftp://192.168.0.1/sm24/ Console(config)# If a new image is found at the specified location, the following type of messages will be displayed during bootup. . . . Automatic Upgrade is looking for a new image New image detected: current version 1.1.1.
Chapter 4 | System Management Commands File Management tftp://192.168.0.1[/filedir]/ ◆ When specifying an FTP server, the following syntax must be used, where filedir indicates the path to the directory containing the new image: ftp://[username[:password@]]192.168.0.1[/filedir]/ If the user name is omitted, “anonymous” will be used for the connection. If the password is omitted a null string (“”) will be used for the connection. Example This shows how to specify a TFTP server where new code is stored.
Chapter 4 | System Management Commands File Management show upgrade This command shows the opcode upgrade configuration settings. Command Mode Privileged Exec Example Console#show upgrade Auto Image Upgrade Global Settings: Status : Disabled Reload Status : Disabled Path : File Name : ECS4120-Series.
Chapter 4 | System Management Commands File Management ip tftp timeout This command specifies the time the switch can wait for a response from a TFTP server before retransmitting a request or timing out for the last retry. Use the no form to restore the default setting. Syntax ip tftp timeout seconds no ip tftp timeout seconds - The the time the switch can wait for a response from a TFTP server before retransmitting a request or timing out.
Chapter 4 | System Management Commands Line Line You can access the onboard configuration program by attaching a VT100 compatible device to the server’s serial port. These commands are used to set communication parameters for the serial port or Telnet (i.e., a virtual terminal).
Chapter 4 | System Management Commands Line line This command identifies a specific line for configuration, and to process subsequent line configuration commands. Syntax line {console | vty} console - Console terminal line. vty - Virtual terminal for remote console access (i.e., Telnet). Default Setting There is no default line. Command Mode Global Configuration Command Usage Telnet is considered a virtual terminal connection and will be shown as “VTY” in screen displays such as show users.
Chapter 4 | System Management Commands Line Command Usage The databits command can be used to mask the high bit on input from devices that generate 7 data bits with parity. If parity is being generated, specify 7 data bits per character. If no parity is required, specify 8 data bits per character.
Chapter 4 | System Management Commands Line login This command enables password checking at login. Use the no form to disable password checking and allow connections without a password. Syntax login [local] no login local - Selects local password checking. Authentication is based on the user name specified with the username command.
Chapter 4 | System Management Commands Line parity This command defines the generation of a parity bit. Use the no form to restore the default setting. Syntax parity {none | even | odd} no parity none - No parity even - Even parity odd - Odd parity Default Setting No parity Command Mode Line Configuration Command Usage Communication protocols provided by devices such as terminals and modems often require a specific parity bit setting.
Chapter 4 | System Management Commands Line Command Usage ◆ When a connection is started on a line with password protection, the system prompts for the password. If you enter the correct password, the system shows a prompt. You can use the password-thresh command to set the number of times a user can enter an incorrect password before the system terminates the line connection and returns the terminal to the idle state.
Chapter 4 | System Management Commands Line Example To set the password threshold to five attempts, enter this command: Console(config-line-console)#password-thresh 5 Console(config-line-console)# Related Commands silent-time (145) silent-time This command sets the amount of time the management console is inaccessible after the number of unsuccessful logon attempts exceeds the threshold set by the password-thresh command. Use the no form to remove the silent time value.
Chapter 4 | System Management Commands Line speed This command sets the terminal line’s baud rate. This command sets both the transmit (to terminal) and receive (from terminal) speeds. Use the no form to restore the default setting. Syntax speed bps no speed bps - Baud rate in bits per second. (Options: 9600, 19200, 38400, 57600, 115200 bps) Default Setting 115200 bps Command Mode Line Configuration Command Usage Set the speed to match the baud rate of the device connected to the serial port.
Chapter 4 | System Management Commands Line Example To specify 2 stop bits, enter this command: Console(config-line-console)#stopbits 2 Console(config-line-console)# timeout login This command sets the interval that the system waits for a user to log into the CLI. response Use the no form to restore the default setting. Syntax timeout login response [seconds] no timeout login response seconds - Integer that specifies the timeout interval.
Chapter 4 | System Management Commands Line disconnect This command terminates an SSH, Telnet, or console connection. Syntax disconnect session-id session-id – The session identifier for an SSH, Telnet or console connection. (Range: 0-8) Command Mode Privileged Exec Command Usage Specifying session identifier “0” will disconnect the console connection. Specifying any other identifiers for an active session will disconnect an SSH or Telnet connection.
Chapter 4 | System Management Commands Line ansi-bbs - ANSI-BBS vt-100 - VT-100 vt-102 - VT-102 width width - The number of character columns displayed on the terminal. (Range: 0-80) Default Setting Escape Character: 27 (ASCII-number) History: 10 Length: 24 Terminal Type: VT100 Width: 80 Command Mode Privileged Exec Example This example sets the number of lines displayed by commands with lengthy output such as show running-config to 48 lines.
Chapter 4 | System Management Commands Event Logging Terminal Type : VT100 Console Configuration: Password Threshold : 3 times EXEC Timeout : 600 seconds Login Timeout : 300 seconds Silent Time : Disabled Baud Rate : 115200 Data Bits : 8 Parity : None Stop Bits : 1 VTY Configuration: Password Threshold EXEC Timeout Login Timeout Silent Time Console# : : : : 3 times 600 seconds 300 sec. Disabled Event Logging This section describes commands used to configure event logging on the switch.
Chapter 4 | System Management Commands Event Logging logging facility This command sets the facility type for remote logging of syslog messages. Use the no form to return the type to the default. Syntax logging facility type no logging facility type - A number that indicates the facility used by the syslog server to dispatch log messages to an appropriate service.
Chapter 4 | System Management Commands Event Logging logging history This command limits syslog messages saved to switch memory based on severity. The no form returns the logging of syslog messages to the default level. Syntax logging history {flash | ram} level no logging history {flash | ram} flash - Event history stored in flash memory (i.e., permanent memory). ram - Event history stored in temporary RAM (i.e., memory flushed on power reset). level - One of the levels listed below.
Chapter 4 | System Management Commands Event Logging logging host This command adds a syslog server host IP address that will receive logging messages. Use the no form to remove a syslog server host. Syntax logging host host-ip-address [port udp-port] no logging host host-ip-address host-ip-address - The IPv4 or IPv6 address of a syslog server. udp-port - UDP port number used by the remote server.
Chapter 4 | System Management Commands Event Logging Command Usage ◆ The higher the syslog severity level the more information is captured and consequently the log file size growth will be greater. ◆ Severity levels are described in Table 21. Example Console(config)#logging level user-login 7 Console(config)# logging on This command controls logging of error messages, sending debug or error messages to a logging process. The no form disables the logging process.
Chapter 4 | System Management Commands Event Logging Syntax logging trap [level level] no logging trap [level] level - One of the syslog severity levels listed in the table on page 152. Messages sent include the selected level through level 0. Default Setting Disabled Level 7 Command Mode Global Configuration Command Usage ◆ Using this command with a specified level enables remote logging and sets the minimum severity level to be saved.
Chapter 4 | System Management Commands Event Logging Related Commands show log (156) show log This command displays the log messages stored in local memory. Syntax show log {flash | ram} [login] flash - Event history stored in flash memory (i.e., permanent memory). ram - Event history stored in temporary RAM (i.e., memory flushed on power reset). login - Option to show the contents of the login buffers.
Chapter 4 | System Management Commands Event Logging show logging This command displays the configuration settings for logging messages to local switch memory, to an SMTP event handler, or to a remote syslog server. Syntax show logging {flash | ram | sendmail | trap} flash - Displays settings for storing event messages in flash memory (i.e., permanent memory). ram - Displays settings for storing event messages in temporary RAM (i.e., memory flushed on power reset).
Chapter 4 | System Management Commands SMTP Alerts Status Facility Type Level Type Console# : Disabled : Local use 7 (23) : Debugging messages (7) Table 23: show logging trap - display description Field Description Global Configuration Syslog Logging Shows if remote logging has been enabled via the logging trap command. Remote Logging Configuration Status Shows if remote logging has been enabled via the logging trap command.
Chapter 4 | System Management Commands SMTP Alerts logging sendmail This command enables SMTP event handling. Use the no form to disable this function. Syntax [no] logging sendmail Default Setting Enabled Command Mode Global Configuration Example Console(config)#logging sendmail Console(config)# logging sendmail host This command specifies SMTP servers that will be sent alert messages. Use the no form to remove an SMTP server.
Chapter 4 | System Management Commands SMTP Alerts Example Console(config)#logging sendmail host 192.168.1.19 Console(config)# logging sendmail level This command sets the severity threshold used to trigger alert messages. Use the no form to restore the default setting. Syntax logging sendmail level level no logging sendmail level level level - One of the system message levels (page 152). Messages sent include the selected level down to level 0.
Chapter 4 | System Management Commands SMTP Alerts Command Mode Global Configuration Command Usage You can specify up to five recipients for alert messages. However, you must enter a separate command to specify each recipient. Example Console(config)#logging sendmail destination-email ted@this-company.com Console(config)# logging sendmail This command sets the email address used for the “From” field in alert messages. source-email Use the no form to restore the default value.
Chapter 4 | System Management Commands Time 1. 192.168.2.243 SMTP Minimum Severity Level: 6 SMTP Destination E-mail Addresses -----------------------------------------------1. dayshift1@mail.com SMTP Source E-mail Address: SMTP Status: Console# switch12@mail.com Enabled Time The system clock can be dynamically set by polling a set of specified time servers (NTP or SNTP). Maintaining an accurate time on the switch enables the system log to record meaningful dates and times for event entries.
Chapter 4 | System Management Commands Time Table 25: Time Commands (Continued) Command Function Mode calendar set Sets the system date and time PE show calendar Displays the current date and time setting NE, PE * Daylight savings time. SNTP Commands sntp client This command enables SNTP client requests for time synchronization from NTP or SNTP time servers specified with the sntp server command. Use the no form to disable SNTP client requests.
Chapter 4 | System Management Commands Time show sntp (165) sntp poll This command sets the interval between sending time requests when the switch is set to SNTP client mode. Use the no form to restore to the default. Syntax sntp poll seconds no sntp poll seconds - Interval between time requests.
Chapter 4 | System Management Commands Time Example Console(config)#sntp server 10.1.0.19 Console# Related Commands sntp client (163) sntp poll (164) show sntp (165) show sntp This command displays the current time and configuration settings for the SNTP client, and indicates whether or not the local time has been properly updated.
Chapter 4 | System Management Commands Time Command Usage You can enable NTP authentication to ensure that reliable updates are received from only authorized NTP servers. The authentication keys and their associated key number must be centrally managed and manually distributed to NTP servers and clients. The key numbers and key values must match on both the server and client.
Chapter 4 | System Management Commands Time ◆ Use the no form of this command without an argument to clear all authentication keys in the list. Example Console(config)#ntp authentication-key 45 md5 thisiskey45 Console(config)# Related Commands ntp authenticate (165) ntp client This command enables NTP client requests for time synchronization from NTP time servers specified with the ntp servers command. Use the no form to disable NTP client requests.
Chapter 4 | System Management Commands Time Related Commands sntp client (163) ntp server (168) ntp server This command sets the IP addresses of the servers to which NTP time requests are issued. Use the no form of the command to clear a specific time server or all servers from the current list. Syntax ntp server ip-address [key key-number] no ntp server [ip-address] ip-address - IPv4 or IPv6 address of an NTP time server (Range: a.b.c.
Chapter 4 | System Management Commands Time Related Commands ntp client (167) show ntp (169) show ntp This command displays the current time and configuration settings for the NTP client, and indicates whether or not the local time has been properly updated. Command Mode Normal Exec, Privileged Exec Command Usage This command displays the current time, the poll interval used for sending time synchronization requests, and the current NTP mode (i.e., unicast).
Chapter 4 | System Management Commands Time name - Name of the time zone while summer time is in effect, usually an acronym. (Range: 1-30 characters) b-date - Day of the month when summer time will begin. (Range: 1-31) b-month - The month when summer time will begin. (Options: january | february | march | april | may | june | july | august | september | october | november | december) b-year- The year summer time will begin. (Range: 1970-2037 years) b-hour - The hour summer time will begin.
Chapter 4 | System Management Commands Time Related Commands show sntp (165) clock summer-time This command configures the summer time (daylight savings time) status and (predefined) settings for the switch using predefined configurations for several major regions in the world. Use the no form to disable summer time. Syntax clock summer-time name predefined [australia | europe | new-zealand | usa] no clock summer-time name - Name of the timezone while summer time is in effect, usually an acronym.
Chapter 4 | System Management Commands Time Example The following example sets the Summer Time setting to use the predefined settings for the European region. Console(config)#clock summer-time MESZ predefined europe Console(config)# Related Commands show sntp (165) clock summer-time This command allows the user to manually configure the start, end, and offset (recurring) times of summer time (daylight savings time) for the switch on a recurring basis. Use the no form to disable summer-time.
Chapter 4 | System Management Commands Time Command Mode Global Configuration Command Usage ◆ In some countries or regions, clocks are adjusted through the summer months so that afternoons have more daylight and mornings have less. This is known as Summer Time, or Daylight Savings Time (DST). Typically, clocks are adjusted forward one hour at the start of spring and then adjusted backward in autumn. ◆ This command sets the summer-time time zone relative to the currently configured time zone.
Chapter 4 | System Management Commands Time Command Mode Global Configuration Command Usage This command sets the local time zone relative to the Coordinated Universal Time (UTC, formerly Greenwich Mean Time or GMT), based on the earth’s prime meridian, zero degrees longitude. To display a time corresponding to your local time, you must indicate the number of hours and minutes your time zone is east (before) or west (after) of UTC.
Chapter 4 | System Management Commands Time GMT+0200-Jerusalem GMT+0300-Baghdad GMT+0300-Kuwait,Riyadh GMT+0300-Moscow,St.
Chapter 4 | System Management Commands Time GMT-0700-Arizona GMT-0700-Chihuahua,La-Paz,Mazatlan GMT-0700-Mountain-Time(US&Canada) GMT-0800-Pacific-Time(US&Canada),Tijuana GMT-0900-Alaska GMT-0930-Taiohae GMT-1000-Hawaii GMT-1100-Midway-Island,Samoa GMT-1200-International-Date-Line-West GMT-Casablanca,Monrovia GMT-Greenwich-Mean-Time-Dublin,Edinburgh,Lisbon,London Example This example sets the timezone to GMT+1030-Lord-Howe-Island and shows the result.
Chapter 4 | System Management Commands Time Range Command Usage Note that when SNTP is enabled, the system clock cannot be manually configured. Example This example shows how to set the system clock to 15:12:34, February 1st, 2015. Console#calendar set 18 12 34 17 july 2018 Console# show calendar This command displays the system clock.
Chapter 4 | System Management Commands Time Range time-range This command specifies the name of a time range, and enters time range configuration mode. Use the no form to remove a previously specified time range. Syntax [no] time-range name name - Name of the time range. (Range: 1-32 characters) Default Setting None Command Mode Global Configuration Command Usage This command sets a time range for use by other functions, such as Access Control Lists.
Chapter 4 | System Management Commands Time Range hour - Hour in 24-hour format. (Range: 0-23) minute - Minute. (Range: 0-59) day - Day of month. (Range: 1-31) month - january | february | march | april | may | june | july | august | september | october | november | december year - Year (4-digit).
Chapter 4 | System Management Commands Time Range periodic This command sets the time range for the periodic execution of a command. Use the no form to remove a previously specified time range.
Chapter 4 | System Management Commands Time Range Example This example configures a time range for the periodic occurrence of an event on a daily basis from 1:01 AM to 2:01 AM. Console(config)#time-range sales Console(config-time-range)#periodic daily 1 1 to 2 1 Console(config-time-range)# This example is exactly as the first example except the extra daily word is used but the configuration is the same.
Chapter 4 | System Management Commands Switch Clustering show time-range This command shows configured time ranges. Syntax show time-range [name] name - Name of the time range.
Chapter 4 | System Management Commands Switch Clustering Using Switch Clustering ◆ A switch cluster has a primary unit called the “Commander” which is used to manage all other “Member” switches in the cluster. The management station can use either Telnet or the web interface to communicate directly with the Commander through its IP address, and then use the Commander to manage the Member switches through the cluster’s “internal” IP addresses.
Chapter 4 | System Management Commands Switch Clustering Cluster IP Pool that does not conflict with any other IP subnets in the network. Cluster IP addresses are assigned to switches when they become Members and are used for communication between Member switches and the Commander. ◆ Switch clusters are limited to the same Ethernet broadcast domain. ◆ There can be up to 100 candidates and 16 member switches in one cluster. ◆ A switch can only be a Member of one cluster.
Chapter 4 | System Management Commands Switch Clustering cluster ip-pool This command sets the cluster IP address pool. Use the no form to reset to the default address. Syntax cluster ip-pool ip-address no cluster ip-pool ip-address - The base IP address for IP addresses assigned to cluster Members. The IP address must start 10.x.x.x. Default Setting 10.254.254.1 Command Mode Global Configuration Command Usage ◆ An “internal” IP address pool is used to assign IP addresses to Member switches in the cluster.
Chapter 4 | System Management Commands Switch Clustering Command Mode Global Configuration Command Usage ◆ The maximum number of cluster Members is 16. ◆ The maximum number of cluster Candidates is 100. Example Console(config)#cluster member mac-address 00-12-34-56-78-9a id 5 Console(config)# rcommand This command provides access to a cluster Member CLI for configuration. Syntax rcommand id member-id member-id - The ID number of the Member switch.
Chapter 4 | System Management Commands Switch Clustering Example Console#show cluster Role Interval Heartbeat Heartbeat Loss Count Number of Members Number of Candidates Console# : : : : : commander 30 3 seconds 1 2 show cluster members This command shows the current switch cluster members. Command Mode Privileged Exec Example Console#show cluster members Cluster Members: ID : 1 Role : Active member IP Address : 10.254.254.
Chapter 4 | System Management Commands Switch Clustering – 188 –
5 SNMP Commands SNMP commands control access to this switch from management stations using the Simple Network Management Protocol (SNMP), as well as the error types sent to trap managers. SNMP Version 3 also provides security features that cover message integrity, authentication, and encryption; as well as controlling user access to specific areas of the MIB tree.
Chapter 5 | SNMP Commands Table 29: SNMP Commands (Continued) Command Function Mode snmp-server group Adds an SNMP group, mapping users to views GC snmp-server user Adds a user to an SNMP group GC snmp-server view Adds an SNMP view GC show snmp engine-id Shows the SNMP engine ID PE show snmp group Shows the SNMP groups PE show snmp user Shows the SNMP users PE show snmp view Shows the SNMP views PE nlm Enables the specified notification log GC snmp-server notify-filter Creates a
Chapter 5 | SNMP Commands General SNMP Commands Table 29: SNMP Commands (Continued) Command Function Mode transceiver-threshold tx-power Sends a trap when the power level of the transmitted signal IC (Port) power outside the specified thresholds transceiver-threshold voltage Sends a trap when the transceiver voltage falls outside the IC (Port) specified thresholds Additional Trap Commands memory Sets the rising and falling threshold for the memory utilization alarm GC process cpu Sets the rising
Chapter 5 | SNMP Commands General SNMP Commands snmp-server This command defines community access strings used to authorize management community access by clients using SNMP v1 or v2c. Use the no form to remove the specified community string. Syntax snmp-server community string [ro | rw] no snmp-server community string string - Community string that acts like a password and permits access to the SNMP protocol.
Chapter 5 | SNMP Commands General SNMP Commands Example Console(config)#snmp-server contact Paul Console(config)# Related Commands snmp-server location (193) snmp-server location This command sets the system location string. Use the no form to remove the location string. Syntax snmp-server location text no snmp-server location text - String that describes the system location.
Chapter 5 | SNMP Commands SNMP Target Host Commands Example Console#show snmp SNMP Agent : Enabled SNMP Traps : Authentication : Enabled MAC-notification : Disabled MAC-notification interval : 1 second(s) SNMP Communities : 1. public, and the access level is read-only 2.
Chapter 5 | SNMP Commands SNMP Target Host Commands Default Setting Issue authentication. Other traps are disabled. Command Mode Global Configuration Command Usage ◆ If you do not enter an snmp-server enable traps command, no notifications controlled by this command are sent. In order to configure this device to send SNMP notifications, you must enter at least one snmp-server enable traps command. If you enter the command with no keywords, both authentication and link-up-down notifications are enabled.
Chapter 5 | SNMP Commands SNMP Target Host Commands snmp-server host This command specifies the recipient of a Simple Network Management Protocol notification operation. Use the no form to remove the specified host. Syntax snmp-server host {host-addr [inform [retry retries | timeout seconds]] community-string} [version {1 | 2c | 3 {auth | noauth | priv}}] [udp-port port] no snmp-server host host-addr host-addr - IPv4 or IPv6 address of the host (the targeted recipient).
Chapter 5 | SNMP Commands SNMP Target Host Commands ◆ The snmp-server host command is used in conjunction with the snmp-server enable traps command. Use the snmp-server enable traps command to enable the sending of traps or informs and to specify which SNMP notifications are sent globally. For a host to receive notifications, at least one snmp-server enable traps command and the snmp-server host command for that host must be enabled.
Chapter 5 | SNMP Commands SNMP Target Host Commands Example Console(config)#snmp-server host 10.1.19.23 batman Console(config)# Related Commands snmp-server enable traps (194) snmp-server This command enables the device to send SNMP traps from a specific interface (i.e., enable port-traps link- SNMP notifications) when the port’s link toggles its status from up to down or up-down down to up. Use the no form to disable SNMP traps being sent.
Chapter 5 | SNMP Commands SNMP Target Host Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This command can enable MAC authentication traps on the current interface only if they are also enabled at the global level with the snmp-server enable traps macauthentication command.
Chapter 5 | SNMP Commands SNMPv3 Commands SNMPv3 Commands snmp-server This command configures an identification string for the SNMPv3 engine. Use the engine-id no form to restore the default. Syntax snmp-server engine-id {local | remote {ip-address}} engineid-string no snmp-server engine-id {local | remote {ip-address}} local - Specifies the SNMP engine on this switch. remote - Specifies an SNMP engine on a remote device. ip-address - IPv4 or IPv6 address of the remote device.
Chapter 5 | SNMP Commands SNMPv3 Commands Example Console(config)#snmp-server engine-id local 1234567890 Console(config)#snmp-server engine-id remote 192.168.1.19 9876543210 Console(config)# Related Commands snmp-server host (196) snmp-server group This command adds an SNMP group, mapping SNMP users to SNMP views. Use the no form to remove an SNMP group.
Chapter 5 | SNMP Commands SNMPv3 Commands ◆ For additional information on the notification messages supported by this switch, see the table for “Supported Notification Messages” in the Web Management Guide. Also, note that the authentication, link-up and link-down messages are legacy traps and must therefore be enabled in conjunction with the snmp-server enable traps command.
Chapter 5 | SNMP Commands SNMPv3 Commands If the encrypted option is selected, enter an encrypted password. (Range: 32 characters for MD5 encrypted password, 40 characters for SHA encrypted password) 3des - Uses SNMPv3 with privacy with 3DES (168-bit) encryption. aes128 - Uses SNMPv3 with privacy with AES128 encryption. aes192 - Uses SNMPv3 with privacy with AES192 encryption. aes256 - Uses SNMPv3 with privacy with AES256 encryption. des56 - Uses SNMPv3 with privacy with DES56 encryption.
Chapter 5 | SNMP Commands SNMPv3 Commands Example Console(config)#snmp-server user steve r&d v3 auth md5 greenpeace priv des56 einstien Console(config)#snmp-server engine-id remote 192.168.1.19 9876543210 Console(config)#snmp-server user mark r&d remote 192.168.1.19 v3 auth md5 greenpeace priv des56 einstien Console(config)# snmp-server view This command adds an SNMP view which controls user access to the MIB. Use the no form to remove an SNMP view.
Chapter 5 | SNMP Commands SNMPv3 Commands This view includes the MIB-2 interfaces table, and the mask selects all index entries. Console(config)#snmp-server view ifEntry.a 1.3.6.1.2.1.2.2.1.1.* included Console(config)# show snmp engine-id This command shows the SNMP engine ID. Command Mode Privileged Exec Example This example shows the default engine ID.
Chapter 5 | SNMP Commands SNMPv3 Commands Group Name: public Security Model: v1 Read View: defaultview Write View: No writeview specified Notify View: No notifyview specified Storage Type: volatile Row Status: active Group Name: public Security Model: v2c Read View: defaultview Write View: No writeview specified Notify View: No notifyview specified Storage Type: volatile Row Status: active Group Name: private Security Model: v1 Read View: defaultview Write View: defaultview Notify View: No notifyview speci
Chapter 5 | SNMP Commands SNMPv3 Commands show snmp user This command shows information on SNMP users.
Chapter 5 | SNMP Commands Notification Log Commands Example Console#show snmp view View Name: mib-2 Subtree OID : 1.2.2.3.6.2.1 View Type : included Storage Type : permanent Row Status : active View Name Subtree OID View Type Storage Type Row Status : : : : : defaultview 1 included volatile active Console# Table 33: show snmp view - display description Field Description View Name Name of an SNMP view. Subtree OID A branch in the MIB tree. View Type Indicates if the view is included or excluded.
Chapter 5 | SNMP Commands Notification Log Commands ◆ Disabling logging with this command does not delete the entries stored in the notification log. Example This example enables the notification log A1. Console(config)#nlm A1 Console(config)# snmp-server This command creates an SNMP notification log. Use the no form to remove this notify-filter log. Syntax [no] snmp-server notify-filter profile-name remote ip-address profile-name - Notification log profile name.
Chapter 5 | SNMP Commands Notification Log Commands ◆ To avoid this problem, notification logging should be configured and enabled using the snmp-server notify-filter command and nlm command, and these commands stored in the startup configuration file. Then when the switch reboots, SNMP traps (such as warm start) can now be logged. ◆ When this command is executed, a notification log is created (with the default parameters defined in RFC 3014).
Chapter 5 | SNMP Commands Additional Trap Commands show snmp This command displays the configured notification logs. notify-filter Command Mode Privileged Exec Example This example displays the configured notification logs and associated target hosts. Console#show snmp notify-filter Filter profile name IP address ---------------------------- ---------------A1 10.1.19.23 Console# Additional Trap Commands memory This command sets an SNMP trap based on configured thresholds for memory utilization.
Chapter 5 | SNMP Commands Additional Trap Commands Related Commands show memory (113) process cpu This command sets an SNMP trap based on configured thresholds for CPU utilization. Use the no form to restore the default setting. Syntax process cpu {rising rising-threshold | falling falling-threshold} no process cpu {rising | falling} rising-threshold - Rising threshold for CPU utilization alarm expressed in percentage.
Chapter 5 | SNMP Commands Additional Trap Commands process cpu guard This command sets the CPU utilization high and low watermarks in percentage of CPU time utilized and the CPU high and low thresholds in the number of packets being processed per second. Use the no form of this command without any parameters to restore all of the default settings, or with a specific parameter to restore the default setting for that item.
Chapter 5 | SNMP Commands Additional Trap Commands Command Usage ◆ Once the high watermark is exceeded, utilization must drop beneath the low watermark before the alarm is terminated, and then exceed the high watermark again before another alarm is triggered. ◆ Once the maximum threshold is exceeded, utilization must drop beneath the minimum threshold before the alarm is terminated, and then exceed the maximum threshold again before another alarm is triggered.
6 Remote Monitoring Commands Remote Monitoring allows a remote device to collect information or respond to specified events on an independent basis. This switch is an RMON-capable device which can independently perform a wide range of tasks, significantly reducing network management traffic. It can continuously run diagnostics and log information on network performance.
Chapter 6 | Remote Monitoring Commands rmon alarm This command sets threshold bounds for a monitored variable. Use the no form to remove an alarm. Syntax rmon alarm index variable interval {absolute | delta} rising-threshold threshold [event-index] falling-threshold threshold [event-index] [owner name] no rmon alarm index index – Index to this entry. (Range: 1-65535) variable – The object identifier of the MIB variable to be sampled. Only variables of the type etherStatsEntry.n.n may be sampled.
Chapter 6 | Remote Monitoring Commands generated until the sampled value has fallen below the rising threshold, reaches the falling threshold, and again moves back up to the rising threshold. ◆ If the current value is less than or equal to the falling threshold, and the last sample value was greater than this threshold, then an alarm will be generated.
Chapter 6 | Remote Monitoring Commands Command Usage ◆ If an event is already defined for an index, the entry must be deleted before any changes can be made with this command. ◆ The specified events determine the action to take when an alarm triggers this event. The response to an alarm can include logging the alarm or sending a message to a trap manager.
Chapter 6 | Remote Monitoring Commands ◆ The information collected for each sample includes: input octets, packets, broadcast packets, multicast packets, undersize packets, oversize packets, fragments, jabbers, CRC alignment errors, collisions, drop events, and network utilization. ◆ The switch reserves two controlEntry index entries for each port.
Chapter 6 | Remote Monitoring Commands Command Usage ◆ By default, each index number equates to a port on the switch, but can be changed to any number not currently in use. ◆ If statistics collection is already enabled on an interface, the entry must be deleted before any changes can be made with this command.
Chapter 6 | Remote Monitoring Commands show rmon history This command shows the sampling parameters configured for each entry in the history group. Command Mode Privileged Exec Example Console#show rmon history Entry 1 is valid, and owned by Monitors 1.3.6.1.2.1.2.2.1.1.
Chapter 6 | Remote Monitoring Commands – 222 –
7 Flow Sampling Commands Flow sampling (sFlow) can be used with a remote sFlow Collector to provide an accurate, detailed and real-time overview of the types and levels of traffic present on the network. The sFlow Agent samples 1 out of n packets from all data traversing the switch, re-encapsulates the samples as sFlow datagrams and transmits them to the sFlow Collector.
Chapter 7 | Flow Sampling Commands sflow owner This command creates an sFlow collector on the switch. Use the no form to remove the sFlow receiver. Syntax sflow owner owner-name timeout timeout-value {destination {ipv4-address | ipv6-address}} [max-datagram-size max-datagram-size] [port destination-udp-port] [version {v4 | v5}] no sflow owner owner-name owner-name - Name of the collector.
Chapter 7 | Flow Sampling Commands ◆ Use the no sflow owner command to remove the collector. ◆ When the sflow owner command is issued, it’s associated timeout value will immediately begin to count down. Once the timeout value has reached zero seconds, the sFlow owner and it’s associated sampling sources will be deleted from the configuration. Example This example shows an sflow collector being created on the switch. Console#sflow owner stat_server1 timeout 100 destination 192.168.220.
Chapter 7 | Flow Sampling Commands Command Mode Privileged Exec Command Usage This command enables a polling data source and configures the interval at which counter values are added to the sample datagram. Example This example sets the polling interval to 10 seconds.
Chapter 7 | Flow Sampling Commands Example This example enables a sampling data source on Ethernet interface 1/1, an associated receiver named “owner1”, and a sampling rate of one out of 1000 packets. The maximum header size is also set to 200 bytes. Console# sflow sampling interface ethernet 1/1 instance 1 receiver owner1 sampling-rate 1000 max-header-size 200 Console# The following command removes a sampling data source from Ethernet interface 1/1.
Chapter 7 | Flow Sampling Commands – 228 –
8 User Authentication Commands You can configure this switch to authenticate users logging into the system for management access using local or remote authentication methods. Port-based authentication using IEEE 802.1X can also be configured to control either management access to the uplink ports or client access3 to the data ports.
Chapter 8 | User Authentication Commands User Accounts and Privilege Levels User Accounts and Privilege Levels The basic commands required for management access and assigning command privilege levels are listed in this section. This switch also includes other options for password checking via the console or a Telnet connection (page 139), user authentication via a remote authentication server (page 229), and host access authentication for specific ports (page 274).
Chapter 8 | User Authentication Commands User Accounts and Privilege Levels Default Setting The default is level 15. The default password is “super” Command Mode Global Configuration Command Usage ◆ You cannot set a null password. You will have to enter a password to change the command mode from Normal Exec to Privileged Exec with the enable command. ◆ The encrypted password is required for compatibility with legacy password settings (i.e.
Chapter 8 | User Authentication Commands User Accounts and Privilege Levels Level 8-14 provide the same default access privileges, including additional commands in Normal Exec mode, and a subset of commands in Privileged Exec mode under the “Console#” command prompt. Level 15 provides full access to all commands. The privilege level associated with any command can be changed using the privilege command. Any privilege level can access all of the commands assigned to lower privilege levels.
Chapter 8 | User Authentication Commands User Accounts and Privilege Levels privilege This command assigns a privilege level to specified command groups or individual commands. Use the no form to restore the default setting. Syntax privilege mode [all] level level command no privilege mode [all] command mode - The configuration mode containing the specified command. (See “Understanding Command Modes” on page 82 and “Configuration Commands” on page 84.
Chapter 8 | User Authentication Commands Authentication Sequence Example This example shows the privilege level for any command modified by the privilege command. Console#show privilege command privilege exec level 15 ping privilege configure level 15 line Console# Authentication Sequence Three authentication methods can be specified to authenticate users logging into the system for management access. The commands in this section can be used to define the authentication method and sequence.
Chapter 8 | User Authentication Commands Authentication Sequence ◆ RADIUS and TACACS+ logon authentication assigns a specific privilege level for each user name and password pair. The user name, password, and privilege level must be configured on the authentication server. ◆ You can specify three authentication methods in a single command to indicate the authentication sequence.
Chapter 8 | User Authentication Commands RADIUS Client ◆ You can specify three authentication methods in a single command to indicate the authentication sequence. For example, if you enter “authentication login radius tacacs local,” the user name and password on the RADIUS server is verified first. If the RADIUS server is not available, then authentication is attempted on the TACACS+ server. If the TACACS+ server is not available, the local user name and password is checked.
Chapter 8 | User Authentication Commands RADIUS Client port-number - RADIUS server UDP port used for accounting messages. (Range: 1-65535) Default Setting 1813 Command Mode Global Configuration Example Console(config)#radius-server acct-port 181 Console(config)# radius-server This command sets the RADIUS server network port. Use the no form to restore the auth-port default.
Chapter 8 | User Authentication Commands RADIUS Client index - Allows you to specify up to five servers. These servers are queried in sequence until a server responds or the retransmit period expires. host-ip-address - IP address of server. acct-port - RADIUS server UDP port used for accounting messages. (Range: 1-65535) auth-port - RADIUS server UDP port used for authentication messages. (Range: 1-65535) encrypted-key - Encryption key in encrypted text used to authenticate logon access for client.
Chapter 8 | User Authentication Commands RADIUS Client radius-server key This command sets the RADIUS encryption key. Use the no form to restore the default. Syntax radius-server key key-string no radius-server key key-string - Encryption key used to authenticate logon access for client. Enclose any string containing blank spaces in double quotes.
Chapter 8 | User Authentication Commands RADIUS Client radius-server This command sets the number of retries. Use the no form to restore the default. retransmit Syntax radius-server retransmit number-of-retries no radius-server retransmit number-of-retries - Number of times the switch will try to authenticate logon access via the RADIUS server.
Chapter 8 | User Authentication Commands TACACS+ Client show radius-server This command displays the current settings for the RADIUS server.
Chapter 8 | User Authentication Commands TACACS+ Client Table 41: TACACS+ Client Commands Command Function Mode tacacs-server timeout Sets the interval between sending authentication requests GC show tacacs-server Shows the current TACACS+ settings PE tacacs-server host This command specifies the TACACS+ server and other optional parameters. Use the no form to remove the server, or to restore the default values.
Chapter 8 | User Authentication Commands TACACS+ Client tacacs-server key This command sets the TACACS+ encryption key. Use the no form to restore the default. Syntax tacacs-server key key-string no tacacs-server key key-string - Encryption key used to authenticate logon access for the client. Enclose any string containing blank spaces in double quotes.
Chapter 8 | User Authentication Commands TACACS+ Client tacacs-server port This command specifies the TACACS+ server network port. Use the no form to restore the default. Syntax tacacs-server port port-number no tacacs-server port port-number - TACACS+ server TCP port used for authentication messages. (Range: 1-65535) Default Setting 49 Command Mode Global Configuration Example Console(config)#tacacs-server port 181 Console(config)# tacacs-server This command sets the number of retries.
Chapter 8 | User Authentication Commands TACACS+ Client tacacs-server timeout This command sets the interval between transmitting authentication requests to the TACACS+ server. Use the no form to restore the default. Syntax tacacs-server timeout number-of-seconds no tacacs-server timeout number-of-seconds - Number of seconds the switch waits for a reply before resending a request.
Chapter 8 | User Authentication Commands AAA AAA The Authentication, Authorization, and Accounting (AAA) feature provides the main framework for configuring access control on the switch. The AAA functions require the use of configured RADIUS or TACACS+ servers in the network. Table 42: AAA Commands Command Function Mode aaa accounting dot1x Enables accounting of 802.
Chapter 8 | User Authentication Commands AAA method-name - Specifies an accounting method for service requests. (Range: 1-64 characters) start-stop - Records accounting from starting point and stopping point. group - Specifies the server group to use. radius - Specifies all RADIUS hosts configure with the radius-server host command. server-group - Specifies the name of a server group configured with the aaa group server command.
Chapter 8 | User Authentication Commands AAA default - Specifies the default accounting method for service requests. method-name - Specifies an accounting method for service requests. (Range: 1-64 characters) start-stop - Records accounting from starting point and stopping point. group - Specifies the server group to use. radius - Specifies all RADIUS hosts configure with the radius-server host command. tacacs+ - Specifies all TACACS+ hosts configure with the tacacs-server host command.
Chapter 8 | User Authentication Commands AAA Command Mode Global Configuration Command Usage ◆ When accounting updates are enabled, the switch issues periodic interim accounting records for all users on the system. ◆ Using the command without specifying an interim interval enables updates, but does not change the current interval setting.
Chapter 8 | User Authentication Commands AAA ◆ Note that the default and method-name fields are only used to describe the accounting method(s) configured on the specified RADIUS or TACACS+ servers, and do not actually send any information to the servers about the methods to use. Example Console(config)#aaa accounting commands 15 default start-stop group tacacs+ Console(config)# aaa authorization exec This command enables the authorization for Exec access.
Chapter 8 | User Authentication Commands AAA Example Console(config)#aaa authorization exec default group tacacs+ Console(config)# aaa authorization This command enables the authorization for Exec access. Use the no form to commands disable the command level authorization service. Syntax aaa authorization commands level {default | method-name} {group [tacacs+ | server-group]} no aaa authorization commands level {default | method-name} level - The command access privileges.
Chapter 8 | User Authentication Commands AAA aaa group server Use this command to name a group of security server hosts. To remove a server group from the configuration list, enter the no form of this command. Syntax [no] aaa group server {radius | tacacs+} group-name radius - Defines a RADIUS server group. tacacs+ - Defines a TACACS+ server group. group-name - A text string that names a security server group.
Chapter 8 | User Authentication Commands AAA Example Console(config)#aaa group server radius tps Console(config-sg-radius)#server 10.2.68.120 Console(config-sg-radius)# accounting dot1x This command applies an accounting method for 802.1X service requests on an interface. Use the no form to disable accounting on the interface. Syntax accounting dot1x {default | list-name} no accounting dot1x default - Specifies the default method list created with the aaa accounting dot1x command.
Chapter 8 | User Authentication Commands AAA Command Mode Line Configuration Example Console(config)#line console Console(config-line-console)#account commands 15 default Console(config-line-console)# This command applies an accounting method to local console, Telnet or SSH connections. Use the no form to disable accounting on the line. Syntax accounting exec {default | list-name} no accounting exec default - Specifies the default method list created with the aaa accounting exec command.
Chapter 8 | User Authentication Commands AAA list-name - Specifies a privileged exec. level from 0 to 15. default - Specifies the default method list created with the aaa accounting exec command. list-name - Specifies a method list created with the aaa accounting exec command.
Chapter 8 | User Authentication Commands AAA authorization This command enables authorization for all commands at the specified privileged commands level. Use the no form to disable authorization commands on the line. Syntax authorization commands level {default | method-name} no authorization commands level level - The command access privileges. (Range: 0-15) default - Specifies the default method list created with the aaa authorization exec command.
Chapter 8 | User Authentication Commands AAA interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-10/28) Default Setting None Command Mode Privileged Exec Example Console#show accounting commands 15 Accounting Type : Commands 15 Method List : default Group List : tacacs+ Interface : Console# show authorization This command displays the current aaa authorization configuration for exec and commands.
Chapter 8 | User Authentication Commands Web Server Web Server This section describes commands used to configure web browser management access to the switch.
Chapter 8 | User Authentication Commands Web Server Related Commands aaa authorization commands (251) ip http server (259) ip http port This command specifies the TCP port number used by the web browser interface. Use the no form to use the default port. Syntax ip http port port-number no ip http port port-number - The TCP port to be used by the browser interface.
Chapter 8 | User Authentication Commands Web Server Related Commands ip http port (259) show system (119) ip http secure-port This command specifies the TCP port number used for HTTPS connection to the switch’s web interface. Use the no form to restore the default port. Syntax ip http secure-port port_number no ip http secure-port port_number – The TCP port used for HTTPS.
Chapter 8 | User Authentication Commands Web Server Command Mode Global Configuration Command Usage ◆ Both HTTP and HTTPS service can be enabled independently on the switch. However, you cannot configure the HTTP and HTTPS servers to use the same UDP port.
Chapter 8 | User Authentication Commands Telnet Server Telnet Server This section describes commands used to configure Telnet management access to the switch.
Chapter 8 | User Authentication Commands Telnet Server Example Console(config)#ip telnet max-sessions 1 Console(config)# ip telnet port This command specifies the TCP port number used by the Telnet interface. Use the no form to use the default port. Syntax ip telnet port port-number no telnet port port-number - The TCP port number to be used by the browser interface.
Chapter 8 | User Authentication Commands Telnet Server telnet (client) This command accesses a remote device using a Telnet connection. Syntax telnet host host - IP address or alias of a remote device. Command Mode Privileged Exec Example Console#telnet 192.168.2.254 Connect To 192.168.2.254...
Chapter 8 | User Authentication Commands Secure Shell show ip telnet This command displays the configuration settings for the Telnet server. Command Mode Normal Exec, Privileged Exec Example Console#show ip telnet IP Telnet Configuration: Telnet Status: Enabled Telnet Service Port: 23 Telnet Max Session: 4 Console# Secure Shell This section describes the commands used to configure the SSH server.
Chapter 8 | User Authentication Commands Secure Shell Table 46: Secure Shell Commands (Continued) Command Function Mode show ssh Displays the status of current SSH sessions PE show users Shows SSH users, including privilege level and public key type PE Configuration Guidelines The SSH server on this switch supports both password and public key authentication.
Chapter 8 | User Authentication Commands Secure Shell 4. Set the Optional Parameters – Set other optional parameters, including the authentication timeout, the number of retries, and the server key size. 5. Enable SSH Service – Use the ip ssh server command to enable the SSH server on the switch. 6. Authentication – One of the following authentication methods is employed: Password Authentication (for SSH v1.5 or V2 Clients) a. The client sends its password to the server. b.
Chapter 8 | User Authentication Commands Secure Shell d. When the server receives this message, it checks whether the supplied key is acceptable for authentication, and if so, it then checks whether the signature is correct. If both checks succeed, the client is authenticated. Note: The SSH server supports up to eight client sessions. The maximum number of client sessions includes both current Telnet sessions and SSH sessions.
Chapter 8 | User Authentication Commands Secure Shell Command Mode Global Configuration Command Usage ◆ The SSH server supports up to eight client sessions. The maximum number of client sessions includes both current Telnet sessions and SSH sessions. ◆ The SSH server uses RSA for key exchange when the client first establishes a connection with the switch, and then negotiates with the client to select either DES (56-bit) or 3DES (168-bit) for data encryption.
Chapter 8 | User Authentication Commands Secure Shell ip ssh timeout This command configures the timeout for the SSH server. Use the no form to restore the default setting. Syntax ip ssh timeout seconds no ip ssh timeout seconds – The timeout for client response during SSH negotiation. (Range: 1-120) Default Setting 120 seconds Command Mode Global Configuration Command Usage The timeout specifies the interval the switch will wait for a response from the client during the SSH negotiation phase.
Chapter 8 | User Authentication Commands Secure Shell ip ssh crypto This command generates the host key pair (i.e., public and private). host-key generate Syntax ip ssh crypto host-key generate Default Setting Generates RSA key pairs. Command Mode Privileged Exec Command Usage ◆ The switch uses only RSA Version 1 for SSHv1.5 clients and SSHv2 clients. ◆ This command stores the host key pair in memory (i.e., RAM). Use the ip ssh save host-key command to save the host key pair to flash memory.
Chapter 8 | User Authentication Commands Secure Shell ◆ The SSH server must be disabled before you can execute this command. Example Console#ip ssh crypto zeroize Console# Related Commands ip ssh crypto host-key generate (271) ip ssh save host-key (272) no ip ssh server (268) ip ssh save host-key This command saves the host key from RAM to flash memory. Syntax ip ssh save host-key Default Setting Saves the RSA key.
Chapter 8 | User Authentication Commands Secure Shell show public-key This command shows the public key for the specified user or for the host. Syntax show public-key [user [username]| host] username – Name of an SSH user. (Range: 1-32 characters) Default Setting Shows all public keys. Command Mode Privileged Exec Command Usage If no parameters are entered, all keys are displayed. If the user keyword is entered, but no user name is specified, then the public keys for all users are displayed.
Chapter 8 | User Authentication Commands 802.1X Port Authentication Table 47: show ssh - display description Field Description Connection The session number. (Range: 1-8) Version The Secure Shell version number. State The authentication negotiation state. (Values: Negotiation-Started, Authentication-Started, Session-Started) Username The user name of the client. 802.1X Port Authentication The switch supports IEEE 802.
Chapter 8 | User Authentication Commands 802.1X Port Authentication Table 48: 802.1X Port Authentication Commands (Continued) Command Function Mode dot1x re-authenticate Forces re-authentication on specific ports PE Shows all dot1x related information PE Information Display Commands show dot1x General Commands dot1x default This command sets all configurable dot1x authenticator global and port settings to their default values.
Chapter 8 | User Authentication Commands 802.
Chapter 8 | User Authentication Commands 802.1X Port Authentication Authenticator Commands dot1x intrusion-action This command sets the port’s response to a failed authentication, either to block all traffic, or to assign all traffic for the port to a guest VLAN. Use the no form to reset the default. Syntax dot1x intrusion-action {block-traffic | guest-vlan} no dot1x intrusion-action block-traffic - Blocks traffic on this port. guest-vlan - Assigns the user to the Guest VLAN.
Chapter 8 | User Authentication Commands 802.1X Port Authentication Command Mode Interface Configuration Example Console(config)#interface eth 1/2 Console(config-if)#dot1x max-reauth-req 2 Console(config-if)# dot1x max-req This command sets the maximum number of times the switch port will retransmit an EAP request/identity packet to the client before it times out the authentication session. Use the no form to restore the default.
Chapter 8 | User Authentication Commands 802.1X Port Authentication single-host – Allows only a single host to connect to this port. multi-host – Allows multiple host to connect to this port. max-count – Keyword for the maximum number of hosts. count – The maximum number of hosts that can connect to a port. (Range: 1-1024; Default: 5) mac-based-auth – Allows multiple hosts to connect to this port, with each host needing to be authenticated.
Chapter 8 | User Authentication Commands 802.1X Port Authentication auto – Requires a dot1x-aware connected client to be authorized by the RADIUS server. Clients that are not dot1x-aware will be denied access. force-authorized – Configures the port to grant access to all clients, either dot1x-aware or otherwise. force-unauthorized – Configures the port to deny access to all clients, either dot1x-aware or otherwise.
Chapter 8 | User Authentication Commands 802.1X Port Authentication Related Commands dot1x timeout re-authperiod (281) dot1x timeout This command sets the time that a switch port waits after the maximum request quiet-period count (see page 278) has been exceeded before attempting to acquire a new client. Use the no form to reset the default. Syntax dot1x timeout quiet-period seconds no dot1x timeout quiet-period seconds - The number of seconds.
Chapter 8 | User Authentication Commands 802.1X Port Authentication dot1x timeout This command sets the time that an interface on the switch waits for a response to supp-timeout an EAP request from a client before re-transmitting an EAP packet. Use the no form to reset to the default value. Syntax dot1x timeout supp-timeout seconds no dot1x timeout supp-timeout seconds - The number of seconds.
Chapter 8 | User Authentication Commands 802.1X Port Authentication Example Console(config)#interface eth 1/2 Console(config-if)#dot1x timeout tx-period 300 Console(config-if)# dot1x re-authenticate This command forces re-authentication on all ports or a specific interface. Syntax dot1x re-authenticate [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 8 | User Authentication Commands 802.1X Port Authentication Command Mode Privileged Exec Command Usage This command displays the following information: ◆ Global 802.1X Parameters – Shows whether or not 802.1X port authentication is globally enabled on the switch (page 276). ◆ Authenticator Parameters – Shows whether or not EAPOL pass-through is enabled (page 275). ◆ 802.1X Port Summary – Displays the port access control parameters for each interface that has enabled 802.
Chapter 8 | User Authentication Commands 802.1X Port Authentication ■ ◆ Backend State Machine ■ ■ ■ ◆ Current Identifier– The integer (0-255) used by the Authenticator to identify the current authentication session. State – Current state (including request, response, success, fail, timeout, idle, initialize). Request Count– Number of EAP Request packets sent to the Supplicant without receiving a response.
Chapter 8 | User Authentication Commands Management IP Filter State Reauth Count Current Identifier : Authenticated : 0 : 3 Backend State Machine State : Idle Request Count : 0 Identifier(Server) : 2 Reauthentication State Machine State : Initialize Console# Management IP Filter This section describes commands used to configure IP management access to the switch.
Chapter 8 | User Authentication Commands Management IP Filter Command Mode Global Configuration Command Usage ◆ The management interfaces are open to all IP addresses by default. Once you add an entry to a filter list, access to that interface is restricted to the specified addresses. ◆ If anyone tries to access a management interface on the switch from an invalid address, the switch will reject the connection, enter an event message in the system log, and send a trap message to the trap manager.
Chapter 8 | User Authentication Commands PPPoE Intermediate Agent Example Console#show management all-client Management IP Filter HTTP Client: Start IP Address ---------------------------------------192.168.1.1 192.168.2.1 SNMP Client: Start IP Address ---------------------------------------10.1.2.1 171.1.2.34 Telnet Client: Start IP Address ---------------------------------------192.168.1.1 192.168.2.1 End IP Address ------------------------------------192.168.1.100 192.168.2.
Chapter 8 | User Authentication Commands PPPoE Intermediate Agent Table 50: PPPoE Intermediate Agent Commands (Continued) Command Function Mode show pppoe intermediateagent info Displays PPPoE IA configuration settings PE show pppoe intermediateagent statistics Displays PPPoE IA statistics PE pppoe intermediate- This command enables the PPPoE Intermediate Agent globally on the switch. Use agent the no form to disable this feature.
Chapter 8 | User Authentication Commands PPPoE Intermediate Agent pppoe intermediate- This command sets the access node identifier and generic error message for the agent format-type switch. Use the no form to restore the default settings.
Chapter 8 | User Authentication Commands PPPoE Intermediate Agent Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage PPPoE IA must also be enabled globally on the switch for this command to take effect. Example Console(config)#interface ethernet 1/5 Console(config-if)#pppoe intermediate-agent port-enable Console(config-if)# pppoe intermediate- This command sets the circuit-id or remote-id for an interface. Use the no form to agent port-format- restore the default settings.
Chapter 8 | User Authentication Commands PPPoE Intermediate Agent command. ◆ If the remote-id is unspecified, the port name will be used for this parameter. If the port name is not configured, the remote-id is set to the port MAC (yy-yy-yyyy-yy-yy#), where # is the default delimiter.
Chapter 8 | User Authentication Commands PPPoE Intermediate Agent pppoe intermediate- This command sets an interface to trusted mode to indicate that it is connected to a agent trust PPPoE server. Use the no form to set an interface to untrusted mode. Syntax [no] pppoe intermediate-agent trust Default Setting Untrusted Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage Set any interfaces connecting the switch to a PPPoE Server as trusted.
Chapter 8 | User Authentication Commands PPPoE Intermediate Agent Example Console(config)#interface ethernet 1/5 Console(config-if)#pppoe intermediate-agent vendor-tag strip Console(config-if)# clear pppoe This command clears statistical counters for the PPPoE Intermediate Agent. intermediate-agent statistics Syntax clear pppoe intermediate-agent statistics interface [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 8 | User Authentication Commands PPPoE Intermediate Agent PPPoE Intermediate Agent Oper Access Node Identifier 192.168.2.12 PPPoE Intermediate Agent Admin Generic Error Message : : PPPoE Intermediate Agent Oper Generic Error Message : PPPoE Discover packet too large to process.
Chapter 8 | User Authentication Commands PPPoE Intermediate Agent Table 51: show pppoe intermediate-agent statistics - display description Field Description Received ALL Count of all packets received. PADI PPPoE Active Discovery Initiation PADO PPPoE Active Discovery Offer PADR PPPoE Active Discovery Request PADS PPPoE Active Discovery Session-Confirmation PADT PPPoE Active Discovery Terminate Dropped Response from untrusted Response from an interface which not been configured as trusted.
9 General Security Measures This switch supports many methods of segregating traffic for clients attached to each of the data ports, and for ensuring that only authorized clients gain access to the network. Port-based authentication using IEEE 802.1X is commonly used for these purposes. In addition to these method, several other options of providing client security are described in this chapter.
Chapter 9 | General Security Measures Port Security Port Security These commands can be used to enable port security on a port. When MAC address learning is disabled on an interface, only incoming traffic with source addresses already stored in the dynamic or static address table for this port will be authorized to access the network. When using port security, the switch stops learning new MAC addresses on the specified port when it has reached a configured maximum number.
Chapter 9 | General Security Measures Port Security Command Usage ◆ The no mac-learning command immediately stops the switch from learning new MAC addresses on the specified port or trunk. Incoming traffic with source addresses not stored in the static address table, will be flooded. However, if a security function such as 802.
Chapter 9 | General Security Measures Port Security action - Response to take when port security is violated. shutdown - Disable port only. trap - Issue SNMP trap message only. trap-and-shutdown - Issue SNMP trap message and disable port. max-mac-count address-count - The maximum number of MAC addresses that can be learned on a port.
Chapter 9 | General Security Measures Port Security number of MAC addresses, the port will stop learning new addresses. The MAC addresses already in the address table will be retained and will not be aged out. ◆ MAC addresses that port security has learned, can be saved in the configuration file as static entries. See command port security mac-address-as-permanent.
Chapter 9 | General Security Measures Port Security Command Mode Privileged Exec Example This example shows the switch saving the MAC addresses learned by port security on ethernet port 1/3. Console#port security mac-address-as-permanent interface ethernet 1/3 Console# port security Use this command to save the MAC addresses that port security has learned as mac-address sticky “sticky” entries.
Chapter 9 | General Security Measures Port Security Command Mode Privileged Exec Example This example shows the port security settings and number of secure addresses for all ports.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Console#show port security interface ethernet 1/2 Global Port Security Parameters Secure MAC Aging Mode : Disabled Port Security Details Port Port Security Port Status Intrusion Action Max MAC Count Current MAC Count MAC Filter Last Intrusion MAC Last Time Detected Intrusion MAC Console# : : : : : : : : : 1/2 Enabled Secure/Up None 0 0 Disabled NA NA This example shows information about a detected intrusion.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Table 55: Network Access Commands (Continued) Command Function Mode network-access dynamic-qos Enables the dynamic quality of service feature IC network-access dynamic-vlan Enables dynamic VLAN assignment from a RADIUS server IC network-access guest-vlan Specifies the guest VLAN IC network-access link-detection Enables the link detection feature IC network-access link-detection link-down Configures the link dete
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Command Usage ◆ Authenticated MAC addresses are stored as dynamic entries in the switch’s secure MAC address table and are removed when the aging time expires. The address aging time is determined by the mac-address-table aging-time command.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) more ports with the network-access port-mac-filter command. ◆ Up to 64 filter tables can be defined. ◆ There is no limitation on the number of entries that can entered in a filter table. Example Console(config)#network-access mac-filter 1 mac-address 11-22-33-44-55-66 Console(config)# mac-authentication Use this command to set the time period after which a connected MAC address reauth-time must be re-authenticated.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Default Setting Disabled Command Mode Interface Configuration Command Usage ◆ The RADIUS server may optionally return dynamic QoS assignments to be applied to a switch port for an authenticated user.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) network-access Use this command to enable dynamic VLAN assignment for an authenticated port. dynamic-vlan Use the no form to disable dynamic VLAN assignment. Syntax [no] network-access dynamic-vlan Default Setting Enabled Command Mode Interface Configuration Command Usage ◆ When enabled, the VLAN identifiers returned by the RADIUS server through the 802.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) network-access Use this command to assign all traffic on a port to a guest VLAN when 802.1x guest-vlan authentication or MAC authentication is rejected. Use the no form of this command to disable guest VLAN assignment.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Example Console(config)#interface ethernet 1/1 Console(config-if)#network-access link-detection Console(config-if)# network-access link- Use this command to detect link-down events. When detected, the switch can shut detection link-down down the port, send an SNMP trap, or both. Use the no form of this command to disable this feature.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) action - Response to take when port security is violated. shutdown - Disable port only. trap - Issue SNMP trap message only. trap-and-shutdown - Issue SNMP trap message and disable the port.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) network-access max- Use this command to set the maximum number of MAC addresses that can be mac-count authenticated on a port interface via all forms of authentication. Use the no form of this command to restore the default. Syntax network-access max-mac-count count no network-access max-mac-count count - The maximum number of authenticated IEEE 802.1X and MAC addresses allowed.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) ◆ Authenticated MAC addresses are stored as dynamic entries in the switch secure MAC address table and are removed when the aging time expires. The maximum number of secure MAC addresses supported for the switch system is 1024. ◆ Configured static MAC addresses are added to the secure address table when seen on a switch port. Static addresses are treated as authenticated without sending a request to a RADIUS server.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Example Console(config)#interface ethernet 1/1 Console(config-if)#network-access port-mac-filter 1 Console(config-if)# mac-authentication Use this command to configure the port response to a host MAC authentication intrusion-action failure. Use the no form of this command to restore the default.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Example Console(config-if)#mac-authentication max-mac-count 32 Console(config-if)# clear network-access Use this command to clear entries from the secure MAC addresses table. Syntax clear network-access mac-address-table [static | dynamic] [address mac-address] [interface interface] static - Specifies static address entries. dynamic - Specifies dynamic address entries. mac-address - Specifies a MAC address entry.
Chapter 9 | General Security Measures Network Access (MAC Address Authentication) Command Mode Privileged Exec Example Console#show network-access interface ethernet 1/1 Global secure port information Reauthentication Time : 1800 MAC Address Aging : Enabled Port : 1/1 MAC Authentication MAC Authentication Intrusion Action MAC Authentication Maximum MAC Counts Maximum MAC Counts Dynamic VLAN Assignment Dynamic QoS Assignment MAC Filter ID Guest VLAN Link Detection Detection Mode Detection Action Console# :
Chapter 9 | General Security Measures Web Authentication Command Usage When using a bit mask to filter displayed MAC addresses, a 1 means “care” and a 0 means “don't care”. For example, a MAC of 00-00-01-02-03-04 and mask FF-FF-FF00-00-00 would result in all MACs in the range 00-00-01-00-00-00 to 00-00-01-FFFF-FF to be displayed. All other MACs would be filtered out.
Chapter 9 | General Security Measures Web Authentication Note: RADIUS authentication must be activated and configured for the web authentication feature to work properly (see “Authentication Sequence” on page 234). Note: Web authentication cannot be configured on trunk ports.
Chapter 9 | General Security Measures Web Authentication Example Console(config)#web-auth login-attempts 2 Console(config)# web-auth This command defines the amount of time a host must wait after exceeding the quiet-period limit for failed login attempts, before it may attempt web authentication again. Use the no form to restore the default. Syntax web-auth quiet-period time no web-auth quiet period time - The amount of time the host must wait before attempting authentication again.
Chapter 9 | General Security Measures Web Authentication Example Console(config)#web-auth session-timeout 1800 Console(config)# web-auth system- This command globally enables web authentication for the switch. Use the no form auth-control to restore the default.
Chapter 9 | General Security Measures Web Authentication Example Console(config-if)#web-auth Console(config-if)# web-auth re- This command ends all web authentication sessions connected to the port and authenticate (Port) forces the users to re-authenticate. Syntax web-auth re-authenticate interface interface interface - Specifies a port interface. ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 9 | General Security Measures Web Authentication Example Console#web-auth re-authenticate interface ethernet 1/2 192.168.1.5 Console# show web-auth This command displays global web authentication parameters.
Chapter 9 | General Security Measures DHCPv4 Snooping show web-auth This command displays a summary of web authentication port parameters and summary statistics. Command Mode Privileged Exec Example Console#show web-auth summary Global Web-Auth Parameters System Auth Control : Enabled Port Status Authenticated Host Count -------------------------------1/ 1 Disabled 0 1/ 2 Enabled 8 1/ 3 Disabled 0 1/ 4 Disabled 0 1/ 5 Disabled 0 . . .
Chapter 9 | General Security Measures DHCPv4 Snooping Table 58: DHCP Snooping Commands (Continued) Command Function Mode ip dhcp snooping max-number Configures the maximum number of DHCP clients which IC can be supported per interface ip dhcp snooping trust Configures the specified interface as trusted IC ip dhcp snooping vlanflooding Configures the specified interface to forward DHCP packets when DHCP snooping is disabled on the VLAN IC clear ip dhcp snooping binding Clears DHCP snooping bindi
Chapter 9 | General Security Measures DHCPv4 Snooping ◆ When DHCP snooping is enabled, the rate limit for the number of DHCP messages that can be processed by the switch is 100 packets per second. Any DHCP packets in excess of this limit are dropped. ◆ Filtering rules are implemented as follows: ■ If global DHCP snooping is disabled, all DHCP packets are forwarded.
Chapter 9 | General Security Measures DHCPv4 Snooping switch receives any messages from a DHCP server, any packets received from untrusted ports are dropped. Example This example enables DHCP snooping globally for the switch.
Chapter 9 | General Security Measures DHCPv4 Snooping ◆ DHCP snooping must be enabled for the DHCP Option 82 information to be inserted into packets. When enabled, the switch will only add/remove option 82 information in incoming DHCP packets but not relay them.
Chapter 9 | General Security Measures DHCPv4 Snooping ■ sub-type - Distinguishes different types of circuit IDs. ■ sub-length - Length of the circuit ID type ■ access node identifier - ASCII string. Default is the MAC address of the switch’s CPU. This field is set by the ip dhcp snooping information option command, ■ eth - The second field is the fixed string “eth” ■ slot - The slot represents the stack unit for this system. ■ port - The port which received the DHCP request.
Chapter 9 | General Security Measures DHCPv4 Snooping mac-address - Inserts a MAC address in the remote ID sub-option for the DHCP snooping agent (that is, the MAC address of the switch’s CPU). ip-address - Inserts an IP address in the remote ID sub-option for the DHCP snooping agent (that is, the IP address of the management interface). encode - Indicates encoding in ASCII or hexadecimal. string - An arbitrary string inserted into the remote identifier field.
Chapter 9 | General Security Measures DHCPv4 Snooping board-id – TR101 Board ID. (Range: 0-9) Default Setting not defined Command Mode Global Configuration Example This example sets the board ID to 0. Console(config)#ip dhcp snooping information option tr101 board-id 0 Console(config)# information policy This command sets the DHCP snooping information option policy for DHCP client packets that include Option 82 information. Use the no form to restore the default setting.
Chapter 9 | General Security Measures DHCPv4 Snooping ip dhcp snooping This command sets the maximum number of DHCP packets that can be trapped by limit rate the switch for DHCP snooping. Use the no form to restore the default setting. Syntax ip dhcp snooping limit rate rate no dhcp snooping limit rate rate - The maximum number of DHCP packets that may be trapped for DHCP snooping.
Chapter 9 | General Security Measures DHCPv4 Snooping Example This example enables MAC address verification. Console(config)#ip dhcp snooping verify mac-address Console(config)# Related Commands ip dhcp snooping (325) ip dhcp snooping vlan (333) ip dhcp snooping trust (336) ip dhcp snooping vlan This command enables DHCP snooping on the specified VLAN. Use the no form to restore the default setting.
Chapter 9 | General Security Measures DHCPv4 Snooping Related Commands ip dhcp snooping (325) ip dhcp snooping trust (336) ip dhcp snooping This command specifies DHCP Option 82 circuit-id suboption information. Use the information option no form to use the default settings.
Chapter 9 | General Security Measures DHCPv4 Snooping ■ sub-type - Distinguishes different types of circuit IDs. ■ sub-length - Length of the circuit ID type ■ access node identifier - ASCII string. Default is the MAC address of the switch’s CPU. This field is set by the ip dhcp snooping information option command, ■ eth - The second field is the fixed string “eth” ■ slot - The slot represents the stack unit for this system. ■ port - The port which received the DHCP request.
Chapter 9 | General Security Measures DHCPv4 Snooping ip dhcp snooping This command configures the maximum number of DHCP clients which can be max-number supported per interface. Use the no form to restore the default setting. Syntax ip dhcp snooping max-number max-number no dhcp snooping max-number max-number - Maximum number of DHCP clients.
Chapter 9 | General Security Measures DHCPv4 Snooping VLAN according to the default status, or as specifically configured for an interface with the no ip dhcp snooping trust command. ◆ When an untrusted port is changed to a trusted port, all the dynamic DHCP snooping bindings associated with this port are removed. ◆ Additional considerations when the switch itself is a DHCP client – The port(s) through which it submits a client request to the DHCP server must be configured as trusted.
Chapter 9 | General Security Measures DHCPv4 Snooping Example This example sets port 5 to use VLAN flooding. Console(config)#interface ethernet 1/5 Console(config-if)#ip dhcp snooping vlan-flooding Console(config-if)# clear ip dhcp This command clears DHCP snooping binding table entries from RAM. Use this snooping binding command without any optional keywords to clear all entries from the binding table.
Chapter 9 | General Security Measures DHCPv4 Snooping ip dhcp snooping This command writes all dynamically learned snooping entries to flash memory. database flash Command Mode Privileged Exec Command Usage This command can be used to store the currently learned dynamic DHCP snooping entries to flash memory. These entries will be restored to the snooping table when the switch is reset.
Chapter 9 | General Security Measures DHCPv6 Snooping show ip dhcp This command shows the DHCP snooping binding table entries. snooping binding Command Mode Privileged Exec Example Console#show ip dhcp snooping binding MAC Address IP Address Lease(sec) Type VLAN Interface ----------------- --------------- ---------- -------------------- ---- --------11-22-33-44-55-66 192.168.0.
Chapter 9 | General Security Measures DHCPv6 Snooping ipv6 dhcp snooping This command enables DHCPv6 snooping globally. Use the no form to restore the default setting. Syntax [no] ipv6 dhcp snooping Default Setting Disabled Command Mode Global Configuration Command Usage Network traffic may be disrupted when malicious DHCPv6 messages are received from an outside source. DHCPv6 snooping is used to filter DHCPv6 messages received on an unsecure interface from outside the network or fire wall.
Chapter 9 | General Security Measures DHCPv6 Snooping Identifier, and address (4 message exchanges to get IPv6 address), and forward to trusted port. ■ Solicit: Add new entry in binding cache, recording client’s DUID, IA type, IA ID (2 message exchanges to get IPv6 address with rapid commit option, otherwise 4 message exchanges), and forward to trusted port. ■ Decline: If no matching entry is found in binding cache, drop this packet.
Chapter 9 | General Security Measures DHCPv6 Snooping ◆ If DHCPv6 snooping is globally disabled, all dynamic bindings are removed from the binding table. ◆ Additional considerations when the switch itself is a DHCPv6 client – The port(s) through which the switch submits a client request to the DHCPv6 server must be configured as trusted (using the ipv6 dhcp snooping trust command).
Chapter 9 | General Security Measures DHCPv6 Snooping ◆ When the DHCPv6 Snooping Option 37 is enabled, clients can be identified by the switch port to which they are connected rather than just their MAC address. DHCPv6 client-server exchange messages are then forwarded directly between the server and client without having to flood them to the entire VLAN. ◆ DHCPv6 snooping must be enabled for the DHCPv6 Option 37 information to be inserted into packets.
Chapter 9 | General Security Measures DHCPv6 Snooping Command Mode Global Configuration Command Usage When the switch receives DHCPv6 packets from clients that already include DHCP Option 37 information, the switch can be configured to set the action policy for these packets. The switch can either drop the DHCPv6 packets, keep the existing information, or replace it with the switch’s relay agent information.
Chapter 9 | General Security Measures DHCPv6 Snooping Example This example enables DHCP6 snooping for VLAN 1. Console(config)#ipv6 dhcp snooping vlan 1 Console(config)# Related Commands ipv6 dhcp snooping (341) ipv6 dhcp snooping trust (346) ipv6 dhcp snooping This command sets the maximum number of entries which can be stored in the max-binding binding database for an interface. Use the no form to restore the default setting.
Chapter 9 | General Security Measures DHCPv6 Snooping Command Usage ◆ A trusted interface is an interface that is configured to receive only messages from within the network. An untrusted interface is an interface that is configured to receive messages from outside the network or fire wall. ◆ Set all ports connected to DHCv6 servers within the local network or fire wall to trusted, and all other ports outside the local network or fire wall to untrusted.
Chapter 9 | General Security Measures DHCPv6 Snooping clear ipv6 dhcp This command clears DHCPv6 snooping binding table entries from RAM. Use this snooping binding command without any optional keywords to clear all entries from the binding table. Syntax clear ipv6 dhcp snooping binding [mac-address ipv6-address] mac-address - Specifies a MAC address entry. (Format: xx-xx-xx-xx-xx-xx or xxxxxxxxxxxx) ipv6-address - Corresponding IPv6 address.
Chapter 9 | General Security Measures DHCPv6 Snooping show ipv6 dhcp This command shows the DHCPv6 snooping configuration settings.
Chapter 9 | General Security Measures IPv4 Source Guard show ipv6 dhcp This command shows statistics for DHCPv6 snooping client, server and relay snooping statistics packets.
Chapter 9 | General Security Measures IPv4 Source Guard ip source-guard This command adds a static address to the source-guard ACL or MAC address binding binding table. Use the no form to remove a static entry. Syntax ip source-guard binding [mode {acl | mac}] mac-address vlan vlan-id ip-address interface ethernet unit/port-list no ip source-guard binding [mode {acl | mac}] mac-address ip-address mode - Specifies the binding mode. acl - Adds binding to ACL table. mac - Adds binding to MAC address table.
Chapter 9 | General Security Measures IPv4 Source Guard ◆ Static bindings are processed as follows: ■ ■ ◆ A valid static IP source guard entry will be added to the binding table in ACL mode if one of the following conditions is true: ■ If there is no binding entry with the same VLAN ID and MAC address, a new entry will be added to the binding table using the type of static IP source guard binding.
Chapter 9 | General Security Measures IPv4 Source Guard ip source-guard This command configures the switch to filter inbound traffic based on source IP address, or source IP address and corresponding MAC address. Use the no form to disable this function. Syntax ip source-guard {sip | sip-mac} no ip source-guard sip - Filters traffic based on IP addresses stored in the binding table. sip-mac - Filters traffic based on IP addresses and corresponding MAC addresses stored in the binding table.
Chapter 9 | General Security Measures IPv4 Source Guard the sip-mac option). If a matching entry is found in the binding table and the entry type is static IP source guard binding, the packet will be forwarded. ■ If the DHCP snooping is enabled, IP source guard will check the VLAN ID, source IP address, port number, and source MAC address (for the sip-mac option).
Chapter 9 | General Security Measures IPv4 Source Guard Command Mode Interface Configuration (Ethernet) Command Usage ◆ This command sets the maximum number of address entries that can be mapped to an interface in the binding table for the specified mode (ACL binding table or MAC address table) including dynamic entries discovered by DHCP snooping and static entries set by the ip source-guard command. ◆ The maximum binding for ACL mode restricts the number of “active” entries per port.
Chapter 9 | General Security Measures IPv4 Source Guard Command Usage There are two modes for the filtering table: ◆ ACL - IP traffic will be forwarded if it passes the checking process in the ACL mode binding table. ◆ MAC - A MAC entry will be added in MAC address table if IP traffic passes the checking process in MAC mode binding table.
Chapter 9 | General Security Measures IPv4 Source Guard Example Console#show ip source-guard Interface --------Eth 1/1 Eth 1/2 Eth 1/3 Eth 1/4 Eth 1/5 . . . Filter-type ----------DISABLED DISABLED DISABLED DISABLED DISABLED Filter-table -----------ACL ACL ACL ACL ACL ACL Table Max-binding ----------5 5 5 5 5 MAC Table Max-binding ----------1024 1024 1024 1024 1024 show ip source-guard This command shows the source guard binding table.
Chapter 9 | General Security Measures IPv6 Source Guard IPv6 Source Guard IPv6 Source Guard is a security feature that filters IPv6 traffic on non-routed, Layer 2 network interfaces based on manually configured entries in the IPv6 Source Guard table, or dynamic entries in the Neighbor Discovery Snooping table or DHCPv6 Snooping table when either snooping protocol is enabled (see “DHCPv6 Snooping” on page 340).
Chapter 9 | General Security Measures IPv6 Source Guard Default Setting No configured entries Command Mode Global Configuration Command Usage ◆ Table entries include an associated MAC address, IPv6 global unicast address, entry type (Static-IPv6-SG-Binding, Dynamic-ND-Snooping, Dynamic-DHCPv6Snooping), VLAN identifier, and port identifier. ◆ Traffic filtering is based only on the source IPv6 address, VLAN ID, and port number.
Chapter 9 | General Security Measures IPv6 Source Guard ipv6 dhcp snooping (341) ipv6 dhcp snooping vlan (345) ipv6 source-guard This command configures the switch to filter inbound traffic based on the source IPv6 address or address prefix stored in the binding table. Use the no form to disable this function.
Chapter 9 | General Security Measures IPv6 Source Guard ◆ If IPv6 source guard is enabled, an inbound packet’s source IPv6 address will be checked against the binding table. If no matching entry is found, the packet will be dropped. ◆ Filtering rules are implemented as follows: ■ If ND snooping and DHCPv6 snooping are disabled, IPv6 source guard will check the VLAN ID, source IPv6 address or address prefix, and port number.
Chapter 9 | General Security Measures IPv6 Source Guard ipv6 source-guard This command sets the maximum number of entries that can be bound to an max-binding interface. Use the no form to restore the default setting. Syntax ipv6 source-guard max-binding number no ipv6 source-guard max-binding number - The maximum number of IPv6 addresses that can be mapped to an interface in the binding table.
Chapter 9 | General Security Measures IPv6 Source Guard show ipv6 source- This command shows whether IPv6 source guard is enabled or disabled on each guard interface, and the maximum allowed bindings. Command Mode Privileged Exec Example Console#show ipv6 source-guard Interface Filter-type Max-binding ----------------------------Eth 1/1 DISABLED 5 Eth 1/2 DISABLED 5 Eth 1/3 DISABLED 5 Eth 1/4 DISABLED 5 Eth 1/5 SIP 1 Eth 1/6 DISABLED 5 . . .
Chapter 9 | General Security Measures ARP Inspection ARP Inspection ARP Inspection validates the MAC-to-IP address bindings in Address Resolution Protocol (ARP) packets. It protects against ARP traffic with invalid address bindings, which forms the basis for certain “man-in-the-middle” attacks.
Chapter 9 | General Security Measures ARP Inspection ip arp inspection This command enables ARP Inspection globally on the switch. Use the no form to disable this function. Syntax [no] ip arp inspection Default Setting Disabled Command Mode Global Configuration Command Usage When ARP Inspection is enabled globally with this command, it becomes active only on those VLANs where it has been enabled with the ip arp inspection vlan command.
Chapter 9 | General Security Measures ARP Inspection arp-acl-name - Name of an ARP ACL. (Maximum length: 16 characters) vlan-id - VLAN ID. (Range: 1-4094) vlan-range - A consecutive range of VLANs indicated by the use a hyphen, or a random group of VLANs with each entry separated by a comma. static - ARP packets are only validated against the specified ACL, address bindings in the DHCP snooping database is not checked.
Chapter 9 | General Security Measures ARP Inspection ip arp inspection This command sets the maximum number of entries saved in a log message, and log-buffer logs the rate at which these messages are sent. Use the no form to restore the default settings. Syntax ip arp inspection log-buffer logs message-number interval seconds no ip arp inspection log-buffer logs message-number - The maximum number of entries saved in a log message.
Chapter 9 | General Security Measures ARP Inspection ip arp inspection This command specifies additional validation of address components in an ARP validate packet. Use the no form to restore the default setting. Syntax ip arp inspection validate {dst-mac [ip [src-mac | allow-zero [src-mac]] | srcmac | ip [src-mac | allow-zero [src-mac]] | src-mac } no ip arp inspection validate dst-mac - Checks the destination MAC address in the Ethernet header against the target MAC address in the ARP body.
Chapter 9 | General Security Measures ARP Inspection Default Setting Disabled on all VLANs Command Mode Global Configuration Command Usage ◆ When ARP Inspection is enabled globally with the ip arp inspection command, it becomes active only on those VLANs where it has been enabled with this command. ◆ When ARP Inspection is enabled globally and enabled on selected VLANs, all ARP request and reply packets on those VLANs are redirected to the CPU and their switching is handled by the ARP Inspection engine.
Chapter 9 | General Security Measures ARP Inspection Default Setting 15 Command Mode Interface Configuration (Port, Static Aggregation) Command Usage ◆ This command applies to both trusted and untrusted ports. ◆ When the rate of incoming ARP packets exceeds the configured limit, the switch drops all ARP packets in excess of the limit.
Chapter 9 | General Security Measures ARP Inspection show ip arp inspection This command displays the global configuration settings for ARP Inspection.
Chapter 9 | General Security Measures ARP Inspection show ip arp inspection This command shows information about entries stored in the log, including the log associated VLAN, port, and address components. Command Mode Privileged Exec Example Console#show ip arp inspection log Total log entries number is 1 Num VLAN Port Src IP Address --- ---- ---- -------------1 1 11 192.168.2.2 Console# Dst IP Address -------------192.168.2.
Chapter 9 | General Security Measures Denial of Service Protection Example Console#show ip arp inspection vlan 1 VLAN ID -------1 Console# DAI Status --------------disabled ACL Name -------------------sales ACL Status -------------------static Denial of Service Protection A denial-of-service attack (DoS attack) is an attempt to block the services provided by a computer or network resource. This kind of attack tries to prevent an Internet site or service from functioning efficiently or at all.
Chapter 9 | General Security Measures Denial of Service Protection Example Console(config)#dos-protection land Console(config)# dos-protection This command protects against TCP-null-scan attacks in which a TCP NULL scan tcp-null-scan message is used to identify listening TCP ports. The scan uses a series of strangely configured TCP packets which contain a sequence number of 0 and no flags. If the target's TCP port is closed, the target replies with a TCP RST (reset) packet.
Chapter 9 | General Security Measures Denial of Service Protection Command Usage In these packets, SYN=1 and FIN=1. Example Console(config)#dos-protection tcp-syn-fin-scan Console(config)# dos-protection This command protects against TCP-xmas-scan in which a so-called TCP XMAS scan tcp-xmas-scan message is used to identify listening TCP ports. This scan uses a series of strangely configured TCP packets which contain a sequence number of 0 and the URG, PSH and FIN flags.
Chapter 9 | General Security Measures Port-based Traffic Segmentation Port-based Traffic Segmentation If tighter security is required for passing traffic from different clients through downlink ports on the local network and over uplink ports to the service provider, port-based traffic segmentation can be used to isolate traffic for individual clients. Traffic belonging to each client is isolated to the allocated downlink ports.
Chapter 9 | General Security Measures Port-based Traffic Segmentation ◆ When traffic segmentation is enabled, the forwarding state for the uplink and downlink ports assigned to different client sessions is shown below.
Chapter 9 | General Security Measures Port-based Traffic Segmentation Command Mode Global Configuration Command Usage ◆ Use this command to create a new traffic-segmentation client session. ◆ Using the no form of this command will remove any assigned uplink or downlink ports, restoring these interfaces to normal operating mode.
Chapter 9 | General Security Measures Port-based Traffic Segmentation ◆ A downlink port can only communicate with an uplink port in the same session. Therefore, if an uplink port is not configured for a session, the assigned downlink ports will not be able to communicate with any other ports. ◆ If a downlink port is not configured for the session, the assigned uplink ports will operate as normal ports.
Chapter 9 | General Security Measures Port-based Traffic Segmentation show This command displays the configured traffic segments.
10 Access Control Lists Access Control Lists (ACL) provide packet filtering for IPv4 frames (based on address, protocol, Layer 4 protocol port number or TCP control code), IPv6 frames (based on source address or destination address), or any frames (based on MAC address or Ethernet type). To filter packets, first create an access list, add the required rules, and then bind the list to a specific port. This section describes the Access Control List commands.
Chapter 10 | Access Control Lists IPv4 ACLs access-list ip This command adds an IP access list and enters configuration mode for standard or extended IPv4 ACLs. Use the no form to remove the specified ACL. Syntax [no] access-list ip {standard | extended} acl-name standard – Specifies an ACL that filters packets based on the source IP address. extended – Specifies an ACL that filters packets based on the source or destination IP address, and other more specific criteria. acl-name – Name of the ACL.
Chapter 10 | Access Control Lists IPv4 ACLs permit, deny This command adds a rule to a Standard IPv4 ACL. The rule sets a filter condition for (Standard IP ACL) packets emanating from the specified source. Use the no form to remove a rule. Syntax {permit | deny} {any | source bitmask | host source} [time-range time-range-name] no {permit | deny} {any | source bitmask | host source} any – Any source IP address. source – Source IP address.
Chapter 10 | Access Control Lists IPv4 ACLs permit, deny This command adds a rule to an Extended IPv4 ACL. The rule sets a filter condition (Extended IPv4 ACL) for packets with specific source or destination IP addresses, protocol types, source or destination protocol ports, or TCP control codes. Use the no form to remove a rule.
Chapter 10 | Access Control Lists IPv4 ACLs port-bitmask – Decimal number representing the port bits to match. (Range: 0-65535) control-flags – Decimal number (representing a bit string) that specifies flag bits in byte 14 of the TCP header. (Range: 0-63) Note: control-flags is only available with the TCP option flag-bitmask – Decimal number representing the code bits to match. time-range-name - Name of the time range.
Chapter 10 | Access Control Lists IPv4 ACLs Example This example accepts any incoming packets if the source address is within subnet 10.7.1.x. For example, if the rule is matched; i.e., the rule (10.7.1.0 & 255.255.255.0) equals the masked address (10.7.1.2 & 255.255.255.0), the packet passes through. Console(config-ext-acl)#permit 10.7.1.1 255.255.255.0 any Console(config-ext-acl)# This allows TCP packets from class C addresses 192.168.1.
Chapter 10 | Access Control Lists IPv4 ACLs Command Usage If an ACL is already bound to a port and you bind a different ACL to it, the switch will replace the old binding with the new one. Example Console(config)#int eth 1/2 Console(config-if)#ip access-group david in Console(config-if)# Related Commands show ip access-list (387) Time Range (177) show ip access-group This command shows the ports assigned to IP ACLs.
Chapter 10 | Access Control Lists IPv6 ACLs Example Console#show ip access-list standard IP standard access-list david: permit host 10.1.1.21 permit 168.92.0.0 255.255.15.0 Console# Related Commands permit, deny (383) ip access-group (386) IPv6 ACLs The commands in this section configure ACLs based on IPv6 addresses. To configure IPv6 ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more ports.
Chapter 10 | Access Control Lists IPv6 ACLs Command Mode Global Configuration Command Usage ◆ When you create a new ACL or enter configuration mode for an existing ACL, use the permit or deny command to add new rules to the bottom of the list. To create an ACL, you must add at least one rule to the list. ◆ To remove a rule, use the no permit or no deny command followed by the exact text of a previously configured rule. ◆ An ACL can contain up to 1K rules.
Chapter 10 | Access Control Lists IPv6 ACLs Default Setting None Command Mode Standard IPv6 ACL Command Usage New rules are appended to the end of the list. Example This example configures one permit rule for the specific address 2009:DB9:2229::79 and another rule for the addresses with the network prefix 2009:DB9:2229:5::/64.
Chapter 10 | Access Control Lists IPv6 ACLs destination-ipv6-address - An IPv6 destination address or network class. The address must be formatted according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields. dscp – DSCP traffic class. (Range: 0-63) sport – Protocol5 source port number.
Chapter 10 | Access Control Lists IPv6 ACLs ◆ 51 - Authentication (RFC 2402) ◆ 60 - Destination Options (RFC 2460) Example This example accepts any incoming packets if the destination address is 2009:DB9:2229::79 and the source port is TCP port 80. Console(config-ext-ipv6-acl)#permit tcp any host 2009:DB9:2229::79 sourceport 80 Console(config-ext-ipv6-acl)# Related Commands access-list ipv6 (388) Time Range (177) ipv6 access-group This command binds an IPv6 ACL to a port.
Chapter 10 | Access Control Lists IPv6 ACLs Related Commands show ipv6 access-list (393) Time Range (177) show ipv6 access-list This command displays the rules for configured IPv6 ACLs. Syntax show ipv6 access-list {standard | extended} [acl-name] standard – Specifies a standard IPv6 ACL. extended – Specifies an extended IPv6 ACL. acl-name – Name of the ACL.
Chapter 10 | Access Control Lists MAC ACLs MAC ACLs The commands in this section configure ACLs based on hardware addresses, packet format, and Ethernet type. To configure MAC ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more ports.
Chapter 10 | Access Control Lists MAC ACLs Related Commands permit, deny (395) mac access-group (397) show mac access-list (398) permit, deny (MAC ACL) This command adds a rule to a MAC ACL. The rule filters packets matching a specified MAC source or destination address (i.e., physical layer address), or Ethernet protocol type. Use the no form to remove a rule.
Chapter 10 | Access Control Lists MAC ACLs no {permit | deny} tagged-802.3 {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} [vid vid vid-bitmask] {permit | deny} untagged-802.3 {any | host source | source address-bitmask} {any | host destination | destination address-bitmask} [time-range time-range-name] no {permit | deny} untagged-802.
Chapter 10 | Access Control Lists MAC ACLs ■ 8137 - IPX Example This rule permits packets from any source MAC address to the destination address 00-e0-29-94-34-de where the Ethernet type is 0800. Console(config-mac-acl)#permit any host 00-e0-29-94-34-de ethertype 0800 Console(config-mac-acl)# Related Commands access-list mac (394) Time Range (177) mac access-group This command binds a MAC ACL to a port. Use the no form to remove the port.
Chapter 10 | Access Control Lists MAC ACLs show mac This command shows the ports assigned to MAC ACLs. access-group Command Mode Privileged Exec Example Console#show mac access-group Interface ethernet 1/5 MAC access-list M5 in Console# Related Commands mac access-group (397) show mac access-list This command displays the rules for configured MAC ACLs. Syntax show mac access-list [acl-name] acl-name – Name of the ACL.
Chapter 10 | Access Control Lists ARP ACLs ARP ACLs The commands in this section configure ACLs based on the IP or MAC address contained in ARP request and reply messages. To configure ARP ACLs, first create an access list containing the required permit or deny rules, and then bind the access list to one or more VLANs using the ip arp inspection vlan command.
Chapter 10 | Access Control Lists ARP ACLs Related Commands permit, deny (400) show arp access-list (401) permit, deny (ARP ACL) This command adds a rule to an ARP ACL. The rule filters packets matching a specified source or destination address in ARP messages. Use the no form to remove a rule.
Chapter 10 | Access Control Lists ARP ACLs Example This rule permits packets from any source IP and MAC address to the destination subnet address 192.168.0.0. Console(config-arp-acl)#permit response ip any 192.168.0.0 255.255.0.0 mac any any Console(config-mac-acl)# Related Commands access-list arp (399) show access-list arp This command displays the rules for configured ARP ACLs. Syntax show access-list arp [acl-name] acl-name – Name of the ACL.
Chapter 10 | Access Control Lists ACL Information Related Commands permit, deny (400) ACL Information This section describes commands used to display ACL information. Table 73: ACL Information Commands Command Function Mode clear access-list hardware counters Clears hit counter for rules in all ACLs, or in a specified ACL.
Chapter 10 | Access Control Lists ACL Information show access-group This command shows the port assignments of ACLs. Command Mode Privileged Executive Example Console#show access-group Interface ethernet 1/2 MAC access-list macacl in IPv6 access-list ipv6extacl in MAC access-list macacl out IPv6 access-list ipv6extacl out Console# show access-list This command shows all ACLs and associated rules.
Chapter 10 | Access Control Lists ACL Information permit any host 00-e0-29-94-34-de ethertype 0800 IP extended access-list pop3-secure: permit TCP any any source-port 995 destination-port 885 IP extended access-list smtp-nonsecure: permit TCP any any source-port 25 destination-port 25 IP extended access-list smtp-secure-tls: permit TCP any any source-port 587 destination-port 587 IP extended access-list pop3-nonsecure: permit TCP any any source-port 110 destination-port 110 IP extended access-list smtp-sec
Chapter 10 | Access Control Lists ACL Information ARP access-list arplist: ARP access-list arper: permit ip any any mac any any log permit ip any any mac any any permit request ip any any mac any any Console# – 405 –
Chapter 10 | Access Control Lists ACL Information – 406 –
11 Interface Commands These commands are used to display or set communication parameters for an Ethernet port, aggregated link, or VLAN; or perform cable diagnostics on the specified interface.
Chapter 11 | Interface Commands Table 74: Interface Commands (Continued) Command Function Mode Transceiver Threshold Configuration transceiver-monitor Sends a trap when any of the transceiver’s operational values fall outside specified thresholds IC transceiver-threshold-auto Uses default threshold settings obtained from the transceiver to determine when an alarm or trap message should be sent IC transceiver-threshold current Sets thresholds for transceiver current which can be used to trigger an
Chapter 11 | Interface Commands Interface Configuration Interface Configuration interface This command configures an interface type and enters interface configuration mode. Use the no form with a trunk to remove an inactive interface. Use the no form with a Layer 3 VLAN (normal type) to change it back to a Layer 2 interface. Syntax interface interface-list no interface {port-channel channel-id | vlan vlan-id} interface-list – One or more ports.
Chapter 11 | Interface Commands Interface Configuration 1000full - Supports 1 Gbps full-duplex operation 100full - Supports 100 Mbps full-duplex operation 100half - Supports 100 Mbps half-duplex operation 10full - Supports 10 Mbps full-duplex operation 10half - Supports 10 Mbps half-duplex operation flowcontrol - Supports flow control. symmetric - When specified, the port transmits and receives symmetric pause frames.
Chapter 11 | Interface Commands Interface Configuration Related Commands negotiation (414) speed-duplex (416)flowcontrol (412) description This command adds a description to an interface. Use the no form to remove the description. Syntax description string no description string - Comment or a description to help you remember what is attached to this interface.
Chapter 11 | Interface Commands Interface Configuration Command Usage Use the no discard command to allow CDP or PVST packets to be forwarded to other ports in the same VLAN which are also configured to forward the specified packet type. Example The following example forwards CDP packets entering port 5. Console(config)#interface ethernet 1/5 Console(config-if)#no discard cdp Console(config-if)# flowcontrol This command enables flow control. Use the no form to disable flow control.
Chapter 11 | Interface Commands Interface Configuration Example The following example enables flow control on port 5. Console(config)#interface ethernet 1/5 Console(config-if)#flowcontrol Console(config-if)#no negotiation Console(config-if)# Related Commands negotiation (414) capabilities (flowcontrol, symmetric) (409) history This command configures a periodic sampling of statistics, specifying the sampling interval and number of samples. Use the no form to remove a named entry from the sampling table.
Chapter 11 | Interface Commands Interface Configuration media-type This command forces the transceiver mode to use for SFP/SFP+ ports, or the port type to use for combination RJ-45/SFP ports. Use the no form to restore the default mode. Syntax media-type {copper-forced | sfp-forced [mode]} no media-type copper-forced - Always uses the built-in RJ-45 port. sfp-forced - Forces transceiver mode for the SFP/SFP+ port. mode 1000sfp - Always uses 1000BASE SFP mode. 100fx - Always uses 100BASE-FX mode.
Chapter 11 | Interface Commands Interface Configuration Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ 1000BASE-T does not support forced mode. Auto-negotiation should always be used to establish a connection over any 1000BASE-T port or trunk. ◆ The 10GBASE-SFP+ transceivers do not support auto-negotiation. Forced mode should always be used to establish a connection over any 10GBASE-SFP port or trunk.
Chapter 11 | Interface Commands Interface Configuration Command Usage This command allows you to disable a port due to abnormal behavior (e.g., excessive collisions), and then re-enable it after the problem has been resolved. You may also want to disable a port for security reasons. Example The following example disables port 5.
Chapter 11 | Interface Commands Interface Configuration ◆ When using the negotiation command to enable auto-negotiation, the optimal settings will be determined by the capabilities command. To set the speed/ duplex mode under auto-negotiation, the required mode must be specified in the capabilities list for an interface. Example The following example configures port 5 to 100 Mbps, half-duplex operation.
Chapter 11 | Interface Commands Interface Configuration switchport mtu This command configures the maximum transfer unit (MTU) allowed for layer 2 packets crossing a Gigabit or 10 Gigabit Ethernet port or trunk. Use the no form to restore the default setting. Syntax switchport mtu size no switchport mtu size - Specifies the maximum transfer unit (or frame size) for a Gigabit or 10 Gigabit Ethernet port or trunk.
Chapter 11 | Interface Commands Interface Configuration Example The following first enables jumbo frames for layer 2 packets, and then sets the MTU for port 1: Console(config)#jumbo frame Console(config)#interface ethernet 1/1 Console(config-if)#switchport mtu 9216 Console(config-if)# Related Commands jumbo frame (124) show interfaces status (428) clear counters This command clears statistics on an interface. Syntax clear counters interface interface ethernet unit/port unit - Unit identifier.
Chapter 11 | Interface Commands Interface Configuration show discard This command displays whether or not CDP and PVST packets are being discarded. Command Mode Privileged Exec Example In this example, “Default” means that the packets are not discarded. Console#show discard Port CDP PVST -------- ------- ------Eth 1/ 1 No No Eth 1/ 2 No No Eth 1/ 3 No No Eth 1/ 4 No No Eth 1/ 5 No No Eth 1/ 6 No No . . .
Chapter 11 | Interface Commands Interface Configuration show interfaces This command displays interface statistics. counters Syntax show interfaces counters [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28) port-channel channel-id (Range: 1-26) Default Setting Shows the counters for all interfaces. Command Mode Normal Exec, Privileged Exec Command Usage If no interface is specified, information on all interfaces is displayed.
Chapter 11 | Interface Commands Interface Configuration 0 Pause Frames Input 0 Pause Frames Output ===== RMON Stats ===== 0 Drop Events 16900558 Octets 40243 Packets 170 Broadcast PKTS 23 Multi-cast PKTS 0 Undersize PKTS 0 Oversize PKTS 0 Fragments 0 Jabbers 0 CRC Align Errors 0 Collisions 21065 Packet Size <= 64 Octets 3805 Packet Size 65 to 127 Octets 2448 Packet Size 128 to 255 Octets 797 Packet Size 256 to 511 Octets 2941 Packet Size 512 to 1023 Octets 9187 Packet Size 1024 to 1518 Octets ===== Port Ut
Chapter 11 | Interface Commands Interface Configuration Table 75: show interfaces counters - display description (Continued) Parameter Description QLen Output The length of the output packet queue (in packets). Extended IFtable Stats Multi-cast Input The number of packets, delivered by this sub-layer to a higher (sub)layer, which were addressed to a multicast address at this sub-layer.
Chapter 11 | Interface Commands Interface Configuration Table 75: show interfaces counters - display description (Continued) Parameter Description Symbol Errors For an interface operating at 100 Mb/s, the number of times there was an invalid data symbol when a valid carrier was present.
Chapter 11 | Interface Commands Interface Configuration Table 75: show interfaces counters - display description (Continued) Parameter Description Packet Size 65 to 127 Octets The total number of packets (including bad packets) received and 128 to 255 Octets transmitted where the number of octets fall within the specified range 256 to 511 Octets (excluding framing bits but including FCS octets).
Chapter 11 | Interface Commands Interface Configuration Command Mode Privileged Exec Command Usage If no interface is specified, information on all interfaces is displayed. Example This example shows the statistics recorded for all named entries in the sampling table.
Chapter 11 | Interface Commands Interface Configuration Console# This example shows the statistics recorded for a named entry in the sampling table. Console#show interfaces history ethernet 1/1 1min Interface : Eth 1/ 1 Name : 1min Interval : 60 second(s) Buckets Requested : 10 Buckets Granted : 1 Status : Active Current Entries Start Time % Octets Input Unicast Multicast Broadcast ------------ ------ --------------- ------------- ------------- -----------00d 02:00:31 0.
Chapter 11 | Interface Commands Interface Configuration show interfaces status This command displays the status for an interface. Syntax show interfaces status [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28) port-channel channel-id (Range: 1-26) vlan vlan-id (Range: 1-4094) Default Setting Shows the status for all interfaces.
Chapter 11 | Interface Commands Interface Configuration show interfaces This command displays the administrative and operational status of the specified switchport interfaces. Syntax show interfaces switchport [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28) port-channel channel-id (Range: 1-26) Default Setting Shows all interfaces.
Chapter 11 | Interface Commands Interface Configuration Table 76: show interfaces switchport - display description Field Description Broadcast Threshold Shows if broadcast storm suppression is enabled or disabled; if enabled it also shows the threshold level (page 471). Multicast Threshold Shows if multicast storm suppression is enabled or disabled; if enabled it also shows the threshold level (page 471).
Chapter 11 | Interface Commands Transceiver Threshold Configuration Transceiver Threshold Configuration transceiver-monitor This command sends a trap when any of the transceiver’s operational values fall outside of specified thresholds. Use the no form to disable trap messages.
Chapter 11 | Interface Commands Transceiver Threshold Configuration transceiver-threshold This command sets thresholds for transceiver current which can be used to trigger current an alarm or warning message. Syntax transceiver-threshold current {high-alarm | high-warning | low-alarm | low-warning} threshold-value high-alarm – Sets the high current threshold for an alarm message. high-warning – Sets the high current threshold for a warning message.
Chapter 11 | Interface Commands Transceiver Threshold Configuration Example The following example sets alarm thresholds for the transceiver current at port 25.
Chapter 11 | Interface Commands Transceiver Threshold Configuration Example The following example sets alarm thresholds for the signal power received at port 25. Console(config)interface ethernet 1/25 Console(config-if)#transceiver-threshold rx-power low-alarm -21 Console(config-if)#transceiver-threshold rx-power high-alarm -3 Console# transceiver-threshold This command sets thresholds for the transceiver temperature which can be used temperature to trigger an alarm or warning message.
Chapter 11 | Interface Commands Transceiver Threshold Configuration Example The following example sets alarm thresholds for the transceiver temperature at port 25.
Chapter 11 | Interface Commands Transceiver Threshold Configuration Example The following example sets alarm thresholds for the signal power transmitted at port 25. Console(config)interface ethernet 1/25 Console(config-if)#transceiver-threshold tx-power low-alarm -2990 Console(config-if)#transceiver-threshold tx-power high-alarm -300 Console# transceiver-threshold This command sets thresholds for the transceiver voltage which can be used to voltage trigger an alarm or warning message.
Chapter 11 | Interface Commands Transceiver Threshold Configuration Example The following example sets alarm thresholds for the transceiver voltage at port 25.
Chapter 11 | Interface Commands Transceiver Threshold Configuration DDM Information Temperature Vcc Bias Current TX Power RX Power DDM Thresholds : : : : : ----------Temperature(Celsius) Voltage(Volts) Current(mA) TxPower(dBm) RxPower(dBm) Console# 31.36 degree C 3.32 V 25.61 mA -3.11 dBm -40.00 dBm Low Alarm ------------25.00 2.80 2.00 -7.96 -20.00 Low Warning ------------20.00 2.90 3.00 -6.99 -19.00 High Warning -----------90.00 3.70 80.00 1.00 0.00 High Alarm -----------95.00 3.80 90.00 2.01 1.
Chapter 11 | Interface Commands Cable Diagnostics Transceiver-monitor : Disabled Transceiver-threshold-auto : Enabled Low Alarm Low Warning ---------------------- -----------Temperature(Celsius) -25.00 -20.00 Voltage(Volts) 2.80 2.90 Current(mA) 2.00 3.00 TxPower(dBm) -7.96 -6.99 RxPower(dBm) -20.00 -19.00 Console# High Warning -----------90.00 3.70 80.00 1.00 0.00 High Alarm -----------95.00 3.80 90.00 2.01 1.
Chapter 11 | Interface Commands Cable Diagnostics ◆ Potential conditions which may be listed by the diagnostics include those listed below. ■ Pair busy, linked partner in 100BAS-TX forced mode Interpair short ■ Intrapair short ■ Pair open, fault detected ■ Invalid, cable diagnostic routine did not complete successfully ■ ◆ Ports must have auto-negotiation enabled ◆ Ports are linked down while running cable diagnostics.
Chapter 11 | Interface Commands Cable Diagnostics Command Usage ◆ Loopback testing can only be performed on a port that is not linked up. The internal loopback makes it possible to check that an interface is working properly without having to make any network connections. ◆ When performing an internal loopback test, packets from the specified interface are looped back into its internal PHY. Outgoing data is looped back to the receiver without actually being transmitted.
Chapter 11 | Interface Commands Power Savings Example Console#show cable-diagnostics dsp interface ethernet 1/21 Cable Diagnostics on interface Ethernet 1/21: Cable OK with accuracy 10 meters. Pair A OK, length 0 meters Pair B OK, length 0 meters Pair C OK, length 7 meters Pair D Open, length 2 meters Last Update 0n 2018-05-31 09:16:57 Console# show loop internal This command shows the results of a loop back test.
Chapter 11 | Interface Commands Power Savings Command Usage ◆ IEEE 802.3 defines the Ethernet standard and subsequent power requirements based on cable connections operating at 100 meters. Enabling power saving mode can reduce power used for cable lengths of 60 meters or less, with more significant reduction for cables of 20 meters or less, and continue to ensure signal integrity. ◆ Power saving mode only applies to the Gigabit Ethernet ports using copper media.
Chapter 11 | Interface Commands Power Savings show power-save This command shows the configuration settings for power savings. Syntax show power-save [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
12 Link Aggregation Commands Ports can be statically grouped into an aggregate link (i.e., trunk) to increase the bandwidth of a network connection or to ensure fault recovery. Or you can use the Link Aggregation Control Protocol (LACP) to automatically negotiate a trunk link between this switch and another network device. For static trunks, the switches have to comply with the Cisco EtherChannel standard. For dynamic trunks, the switches have to comply with LACP. This switch supports up to 26 trunks.
Chapter 12 | Link Aggregation Commands Guidelines for Creating Trunks General Guidelines – ◆ Finish configuring trunks before you connect the corresponding network cables between switches to avoid creating a loop. ◆ A trunk can have up to 26 ports. ◆ The ports at both ends of a connection must be configured as trunk ports. ◆ All ports in a trunk must be configured in an identical manner, including communication mode (i.e., speed and duplex mode), VLAN assignments, and CoS settings.
Chapter 12 | Link Aggregation Commands Manual Configuration Commands Manual Configuration Commands port-channel This command sets the load-distribution method among ports in aggregated links load-balance (for both static and dynamic trunks). Use the no form to restore the default setting. Syntax port-channel load-balance {dst-ip | dst-mac | src-dst-ip | src-dst-mac | src-ip | src-mac} no port-channel load-balance dst-ip - Load balancing based on destination IP address.
Chapter 12 | Link Aggregation Commands Manual Configuration Commands router trunk links where traffic through the switch is received from and destined for many different hosts. ■ src-dst-mac: All traffic with the same source and destination MAC address is output on the same link in a trunk. This mode works best for switch-toswitch trunk links where traffic through the switch is received from and destined for many different hosts.
Chapter 12 | Link Aggregation Commands Dynamic Configuration Commands Example The following example creates trunk 1 and then adds port 10-12: Console(config)#interface port-channel 1 Console(config-if)#exit Console(config)#interface ethernet 1/10-12 Console(config-if)#channel-group 1 Console(config-if)# Dynamic Configuration Commands lacp This command enables 802.3ad Link Aggregation Control Protocol (LACP) for the current interface. Use the no form to disable it.
Chapter 12 | Link Aggregation Commands Dynamic Configuration Commands Example The following shows LACP enabled on ports 1-3. Because LACP has also been enabled on the ports at the other end of the links, the show interfaces status portchannel 1 command shows that Trunk1 has been established.
Chapter 12 | Link Aggregation Commands Dynamic Configuration Commands Default Setting Actor: Dependant on the port speed i.e. 1000f - 4, 100f - 3, 10f - 2 , Partner: 0 Command Mode Interface Configuration (Ethernet) Command Usage Ports are only allowed to join the same LAG if (1) the LACP system priority matches, (2) the LACP port admin key matches, and (3) the LACP port channel key matches (if configured).
Chapter 12 | Link Aggregation Commands Dynamic Configuration Commands Command Mode Interface Configuration (Ethernet) Command Usage ◆ Setting a lower value indicates a higher effective priority. ◆ If an active port link goes down, the backup port with the highest priority is selected to replace the downed link. However, if two or more ports have the same LACP port priority, the port with the lowest physical port number will be selected as the backup port.
Chapter 12 | Link Aggregation Commands Dynamic Configuration Commands ◆ System priority is combined with the switch’s MAC address to form the LAG identifier. This identifier is used to indicate a specific LAG during LACP negotiations with other systems. ◆ Once the remote side of a link has been established, LACP operational settings are already in use on that side.
Chapter 12 | Link Aggregation Commands Dynamic Configuration Commands Example Console(config)#interface port-channel 1 Console(config-if)#lacp admin-key 3 Console(config-if)# lacp timeout This command configures the timeout to wait for the next LACP data unit (LACPDU). Syntax lacp timeout {long | short} long - Specifies a slow timeout of 90 seconds. short - Specifies a fast timeout of 3 seconds.
Chapter 12 | Link Aggregation Commands Trunk Status Display Commands Trunk Status Display Commands show lacp This command displays LACP information. Syntax show lacp [port-channel] {counters | internal | neighbors | sysid} port-channel - Local identifier for a link aggregation group. (Range: 1-26) counters - Statistics for LACP protocol messages. internal - Configuration settings and operational state for local side. neighbors - Configuration settings and operational state for remote side.
Chapter 12 | Link Aggregation Commands Trunk Status Display Commands Table 78: show lacp counters - display description Field Description LACPDUs Sent Number of valid LACPDUs transmitted from this channel group. LACPDUs Received Number of valid LACPDUs received on this channel group. MarkerPDU Sent Number of valid Marker PDUs transmitted from this channel group. MarkerPDU Received Number of valid Marker PDUs received by this channel group.
Chapter 12 | Link Aggregation Commands Trunk Status Display Commands Table 79: show lacp internal - display description (Continued) Field Description Admin State, Oper State Administrative or operational values of the actor’s state parameters: ◆ Expired – The actor’s receive machine is in the expired state; ◆ Defaulted – The actor’s receive machine is using defaulted operational partner information, administratively configured for the partner.
Chapter 12 | Link Aggregation Commands Trunk Status Display Commands Table 80: show lacp neighbors - display description (Continued) Field Description Partner Admin Key Current administrative value of the Key for the protocol partner. Partner Oper Key Current operational value of the Key for the protocol partner. Partner Admin Key Administrative values of the partner’s state parameters. (See preceding table.) Partner Admin Key Operational values of the partner’s state parameters.
13 Port Mirroring Commands Data can be mirrored from a local port on the same switch or from a remote port on another switch for analysis at the target port using software monitoring tools or a hardware probe. This switch supports the following mirroring modes.
Chapter 13 | Port Mirroring Commands Local Port Mirroring Commands Default Setting ◆ No mirror session is defined. ◆ When enabled for an interface, default mirroring is for both received and transmitted packets. ◆ When enabled for a VLAN or a MAC address, mirroring is restricted to received packets. Command Mode Interface Configuration (Ethernet, destination port) Command Usage You can mirror traffic from any source port to a destination port for real-time analysis.
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands show port monitor This command displays mirror information. Syntax show port monitor [interface] interface - ethernet unit/port (source port) unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28) Default Setting Shows all sessions. Command Mode Privileged Exec Command Usage This command displays the currently configured source port, destination port, and mirror mode (i.e., RX, TX, RX/TX).
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands Table 84: RSPAN Commands (Continued) Command Function Mode rspan remote vlan Specifies the RSPAN VLAN, switch role (source, intermediate or destination), and the uplink ports GC no rspan session Deletes a configured RSPAN session GC show rspan Displays the configuration settings for an RSPAN session PE Configuration Guidelines Take the following steps to configure an RSPAN session: 1.
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands has been configured, MAC address learning will still not be re-started on the RSPAN uplink ports. ◆ IEEE 802.1X – RSPAN and 802.1X are mutually exclusive functions. When 802.1X is enabled globally, RSPAN uplink ports cannot be configured, even though RSPAN source and destination ports can still be configured. When RSPAN uplink ports are enabled on the switch, 802.1X cannot be enabled globally.
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands ◆ Only ports can be configured as an RSPAN source – static and dynamic trunks are not allowed. ◆ Only 802.1Q trunk or hybrid (i.e., general use) ports can be configured as an RSPAN source port – access ports are not allowed (see switchport mode). ◆ The source port and destination port cannot be configured on the same switch.
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands ◆ Only ports can be configured as an RSPAN destination – static and dynamic trunks are not allowed. ◆ The source port and destination port cannot be configured on the same switch. ◆ A destination port can still send and receive switched traffic, and participate in any Layer 2 protocols to which it has been assigned.
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands Command Usage ◆ Only 802.1Q trunk or hybrid (i.e., general use) ports can be configured as an RSPAN uplink port – access ports are not allowed (see switchport mode). ◆ Only one uplink port can be configured on a source switch, but there is no limitation on the number of uplink ports configured on an intermediate or destination switch. ◆ Only destination and uplink ports will be assigned by the switch as members of this VLAN.
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands show rspan Use this command to displays the configuration settings for an RSPAN session. Syntax show rspan session [session-id] session-id – A number identifying this RSPAN session.
Chapter 13 | Port Mirroring Commands RSPAN Mirroring Commands – 468 –
14 Congestion Control Commands The switch can set the maximum upload or download data transfer rate for any port. It can control traffic storms by setting a maximum threshold for broadcast traffic or multicast traffic. It can also set bounding thresholds for broadcast and multicast storms which can be used to automatically trigger rate limits or to shut down a port. Table 85: Congestion Control Commands Command Group Function Rate Limiting Sets the input and output rate limits for a port.
Chapter 14 | Congestion Control Commands Rate Limit Commands rate-limit This command defines the rate limit for a specific interface. Use this command without specifying a rate to enable rate limiting. Use the no form to disable rate limiting. Syntax rate-limit {input | output} [rate] no rate-limit {input | output} input – Input rate for specified interface output – Output rate for specified interface rate – Maximum value in Kbps.
Chapter 14 | Congestion Control Commands Storm Control Commands Storm Control Commands Storm control commands can be used to configure broadcast, multicast, and unknown unicast storm control thresholds. Traffic storms may occur when a device on your network is malfunctioning, or if application programs are not well designed or properly configured. If there is too much traffic on your network, performance can be severely degraded or everything can come to complete halt.
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands Command Usage ◆ When traffic exceeds the threshold specified for broadcast and multicast or unknown unicast traffic, packets exceeding the threshold are dropped until the rate falls back down beneath the threshold. ◆ Traffic storms can be controlled at the hardware level using this command or at the software level using the auto-traffic-control command. However, only one of these control types can be applied to a port.
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands Table 88: ATC Commands (Continued) Command Function Mode auto-traffic-control alarm-fire-threshold Sets the upper threshold for ingress traffic beyond IC (Port) which a storm control response is triggered after the apply timer expires auto-traffic-control auto- Automatically releases a control response control-release IC (Port) auto-traffic-control control-release Manually releases a control response PE snmp-server enable
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands Usage Guidelines ATC includes storm control for broadcast or multicast traffic. The control response for either of these traffic types is the same, as shown in the following diagrams.
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands Figure 2: Storm Control by Shutting Down a Port The key elements of this diagram are the same as that described in the preceding diagram, except that automatic release of the control response is not provided. When traffic control is applied, you must manually re-enable the port. Functional Limitations Automatic storm control is a software level control function.
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands Command Usage After the apply timer expires, a control action may be triggered as specified by the auto-traffic-control action command and a trap message sent as specified by the snmp-server enable port-traps atc broadcast-control-apply command or snmpserver enable port-traps atc multicast-control-apply command. Example This example sets the apply timer to 200 seconds for all ports.
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands auto-traffic-control This command enables automatic traffic control for broadcast or multicast storms. Use the no form to disable this feature. Syntax [no] auto-traffic-control {broadcast | multicast} broadcast - Specifies automatic storm control for broadcast traffic. multicast - Specifies automatic storm control for multicast traffic.
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands shutdown - If a control response is triggered, the port is administratively disabled. A port disabled by automatic traffic control can only be manually re-enabled. Default Setting rate-control Command Mode Interface Configuration (Ethernet) Command Usage When the upper threshold is exceeded and the apply timer expires, a control response will be triggered based on this command.
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands Default Setting 128 kilo-packets per second Command Mode Interface Configuration (Ethernet) Command Usage ◆ Once the traffic rate falls beneath the lower threshold, a trap message may be sent if configured by the snmp-server enable port-traps atc broadcast-alarmclear command or snmp-server enable port-traps atc multicast-alarm-clear command.
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands Command Usage ◆ Once the upper threshold is exceeded, a trap message may be sent if configured by the snmp-server enable port-traps atc broadcast-alarm-fire command or snmp-server enable port-traps atc multicast-alarm-fire command.
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands Example Console(config)#auto-traffic-control broadcast auto-control-release interface ethernet 1/1 Console(config)# auto-traffic-control This command manually releases a control response for the specified Ethernet port. control-release Syntax auto-traffic-control {broadcast | multicast} control-release ethernet interface port broadcast - Specifies automatic storm control for broadcast traffic.
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands Command Mode Interface Configuration (Ethernet) Example Console(config)#interface ethernet 1/1 Console(config-if)#snmp-server enable port-traps atc broadcast-alarm-clear Console(config-if)# Related Commands auto-traffic-control action (477) auto-traffic-control alarm-clear-threshold (478) snmp-server This command sends a trap when broadcast traffic exceeds the upper threshold for enable port-traps atc automatic storm control.
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#snmp-server enable port-traps atc broadcast-control-apply Console(config-if)# Related Commands auto-traffic-control alarm-fire-threshold (479) auto-traffic-control apply-timer (475) snmp-server This command sends a trap when broadcast traffic falls beneath the lower enable port-traps atc threshold after a storm control response has been triggered and the release ti
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands Command Mode Interface Configuration (Ethernet) Example Console(config)#interface ethernet 1/1 Console(config-if)#snmp-server enable port-traps atc multicast-alarm-clear Console(config-if)# Related Commands auto-traffic-control action (477) auto-traffic-control alarm-clear-threshold (478) snmp-server This command sends a trap when multicast traffic exceeds the upper threshold for enable port-traps atc automatic storm control.
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#snmp-server enable port-traps atc multicast-control-apply Console(config-if)# Related Commands auto-traffic-control alarm-fire-threshold (479) auto-traffic-control apply-timer (475) snmp-server This command sends a trap when multicast traffic falls beneath the lower threshold enable port-traps atc after a storm control response has been triggered and the release ti
Chapter 14 | Congestion Control Commands Automatic Traffic Control Commands release-timer (sec) : 900 Storm-control: Multicast Apply-timer(sec) : 300 release-timer(sec) : 900 Console# show auto-traffic- This command shows interface configuration settings and storm control status for control interface the specified port. Syntax show auto-traffic-control interface [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
15 Loopback Detection Commands The switch can be configured to detect general loopback conditions caused by hardware problems or faulty protocol settings. When loopback detection (LBD) is enabled, a control frame is transmitted on the participating ports, and the switch monitors inbound traffic to see if the frame is looped back.
Chapter 15 | Loopback Detection Commands loopback-detection This command enables loopback detection globally on the switch or on a specified interface. Use the no form to disable loopback detection. Syntax [no] loopback-detection Default Setting Disabled Command Mode Global Configuration Interface Configuration (Ethernet, Port Channel) Command Usage Loopback detection must be enabled globally for the switch by this command and enabled for a specific interface for this function to take effect.
Chapter 15 | Loopback Detection Commands Command Mode Global Configuration Command Usage ◆ When the response to a detected loopback condition is set to block user traffic, loopback detection control frames may untagged or tagged depending on the port’s VLAN membership type. ◆ When the response to a detected loopback condition is set to block user traffic, ingress filtering for the port is enabled automatically if not already enabled by the switchport ingress-filtering command.
Chapter 15 | Loopback Detection Commands ◆ The recover-time is the maximum time when recovery is triggered after a loop is detected. The actual interval between recovery and detection will be less than or equal to the recover-time. ◆ If the recovery time is set to zero, all ports placed in shutdown state can be restored to operation using the loopback-detection release command. To restore a specific port, use the no shutdown command.
Chapter 15 | Loopback Detection Commands none - Does not send an SNMP trap for loopback detection or recovery. recover - Sends an SNMP trap message when the switch recovers from a loopback condition. Default Setting None Command Mode Global Configuration Command Usage Refer to the loopback-detection recover-time command for information on conditions which constitute loopback recovery.
Chapter 15 | Loopback Detection Commands Command Mode Privileged Exec Example Console#show loopback-detection Loopback Detection Global Information Global Status : Enabled Transmit Interval : 10 Recover Time : 60 Action : Shutdown Trap : None Loopback Detection Port Information Port Admin State Oper State -------- ----------- ---------Eth 1/ 1 Enabled Normal Eth 1/ 2 Disabled Normal Eth 1/ 3 Disabled Normal . . .
16 UniDirectional Link Detection Commands The switch can be configured to detect and disable unidirectional Ethernet fiber or copper links. When enabled, the protocol advertises a port’s identity and learns about its neighbors on a specific LAN segment; and stores information about its neighbors in a cache. It can also send out a train of echo messages under circumstances that require fast notifications or re-synchronization of the cached information.
Chapter 16 | UniDirectional Link Detection Commands Command Usage When a neighbor device is discovered by UDLD, the switch enters “detection state” and remains in this state for specified detection-interval. After the detectioninterval expires, the switch tries to decide whether or the link is unidirectional based on the information collected during “detection state.
Chapter 16 | UniDirectional Link Detection Commands udld recovery This command configures the switch to automatically recover from UDLD disabled port state after a period specified by the udld recovery-interval command. Use the no form to disable this feature. Syntax [no] udld recovery Default Setting Disabled Command Mode Global Configuration Command Usage When automatic recovery state is changed by this command, any ports shut down by UDLD will be reset.
Chapter 16 | UniDirectional Link Detection Commands Example Console(config)#udld recovery-interval 40 Console(config)# udld aggressive This command sets UDLD to aggressive mode on an interface. Use the no form to restore the default setting. Syntax [no] udld aggressive Default Setting Disabled Command Mode Interface Configuration (Ethernet Port) Command Usage UDLD can function in two modes: normal mode and aggressive mode.
Chapter 16 | UniDirectional Link Detection Commands Example This example enables UDLD aggressive mode on port 1. Console(config)#interface ethernet 1/1 Console(config-if)#udld aggressive Console(config-if)# udld port This command enables UDLD on a port. Use the no form to disable UDLD on an interface.
Chapter 16 | UniDirectional Link Detection Commands show udld This command shows UDLD configuration settings and operational status for the switch or for a specified interface. Syntax show udld [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 16 | UniDirectional Link Detection Commands Table 91: show udld - display description (Continued) Field Description Recovery Interval Shows the period after which to recover from UDLD disabled port state if automatic recovery is enabled Interface Ethernet Unit/Port number UDLD Shows if UDLD is enabled or disabled on a port Mode Shows if UDLD is functioning in Normal or Aggressive mode Oper State Shows the UDLD operational state (Disabled, Link down, Link up, Advertisement, Detection, Dis
Chapter 16 | UniDirectional Link Detection Commands – 500 –
17 Address Table Commands These commands are used to configure the address table for filtering specified addresses, displaying current entries, clearing the table, or setting the aging time.
Chapter 17 | Address Table Commands mac-address-table This command maps a static address to a port in a VLAN, and optionally designates static the address as permanent, or to be deleted on reset. Use the no form to remove an address. Syntax mac-address-table static mac-address interface interface vlan vlan-id [action] no mac-address-table static mac-address vlan vlan-id mac-address - MAC address. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 17 | Address Table Commands Example Console(config)#mac-address-table static 00-e0-29-94-34-de interface ethernet 1/1 vlan 1 delete-on-reset Console(config)# clear mac-address- This command removes any learned entries from the forwarding database. table dynamic Syntax clear mac-address-table dynamic [[all] | [address mac-address [mask]] | [interface interface] | [vlan vlan-id]] all - all learned entries address mac-address - MAC address. mask - Bits to match in the address.
Chapter 17 | Address Table Commands show mac-address- This command shows classes of entries in the bridge-forwarding database. table Syntax show mac-address-table [address mac-address [mask]] [interface interface] [vlan vlan-id] [sort {address | vlan | interface}] mac-address - MAC address. mask - Bits to match in the address. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 17 | Address Table Commands 00-E0-4C-68-14-79 28-76-10-07-2E-73 70-72-CF-92-9A-8A 70-72-CF-92-9A-8C 8C-EA-1B-B7-C9-F4 Console# 1 1 1 1 1 Trunk Trunk Trunk Trunk CPU 1 1 1 1 Learn Learn Learn Learn CPU Delete Delete Delete Delete Delete on on on on on Timeout Timeout Timeout Timeout Reset show mac-address- This command shows the aging time for entries in the address table.
Chapter 17 | Address Table Commands Dynamic Address Count Console# :1 – 506 –
18 Smart Pair Commands Smart Pair Concept A smart pair consists of two ports which are paired to provide layer 2 link redundancy, The pair consists of a primary port and a backup port. All traffic is forwarded through the primary port and the backup port will be set to standby. If the primary port link goes down, the backup port is activated and all traffic is forwarded through it. If the primary port recovers, all traffic will again be forwarded through the primary port after a configured delay.
Chapter 18 | Smart Pair Commands Smart Pair Concept Command Mode Global Configuration Command Usage Use the command to create a new smart pair or to enter the smart-pair configuration mode of an existing smart pair. Example Console(config)#smart-pair 1 Console(config-smart-pair)# smart-pair restore Use the smart-pair restore command to manually restore traffic to the primary port of a specified smart pair. Syntax smart-pair restore ID ID - Identification Number.
Chapter 18 | Smart Pair Commands Smart Pair Concept Syntax primary-port interface no primary-port interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28) port-channel channel-id (Range: 1-26) Default Setting None Command Mode Smart Pair Configuration Mode Command Usage When setting the primary-port of the smart pair the following limitations are enforced: ◆ Spanning-Tree must be disabled on the port.
Chapter 18 | Smart Pair Commands Smart Pair Concept Syntax backup-port interface no backup interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28) port-channel channel-id (Range: 1-26) Default Setting None Command Mode Smart Pair Configuration Mode Command Usage When setting the backup-port of the smart pair the following limitations are enforced: ◆ Spanning-Tree must be disabled on the port.
Chapter 18 | Smart Pair Commands Smart Pair Concept wtr-delay This command sets the wait-to-restore delay for a smart pair. Use the no form of the command to set the delay to the default value. Syntax wtr-delay seconds seconds - delay in seconds (Range:0, 5-3600) Default Setting None Command Mode Smart Pair Configuration Mode Command Usage ◆ If the wtr-delay parameter is set to 0, traffic will not be restored after a failed port is recovered.
Chapter 18 | Smart Pair Commands Smart Pair Concept Example Console#show smart-pair ID Primary Port Backup Port ---- ------------ ----------1 Eth 1/ 1 Eth 1/ 2 Console# – 512 –
19 TWAMP Commands The Two-Way Active Measurement Protocol (TWAMP) is defined by RFC 5357. TWAMP is an open protocol for measuring network performance between any two devices that support the TWAMP protocol. TWAMP uses the methodology and architecture of OWAMP (One-Way Active Measurement Protocol, RFC 4656), which defines an open protocol for the measurement of one-way metrics, but extends it to two-way, or round-trip, metrics.
Chapter 19 | TWAMP Commands Example Console(config)#twamp reflector Console(config)# twamp reflector This command sets the TWAMP session timeout on the switch. Use the no form to refwait restore the default. Syntax twamp reflector refwait seconds no twamp reflector refwait seconds - The timeout value in seconds.
20 Spanning Tree Commands This section includes commands that configure the Spanning Tree Algorithm (STA) globally for the switch, and commands that configure STA for the selected interface.
Chapter 20 | Spanning Tree Commands Table 95: Spanning Tree Commands (Continued) Command Function Mode spanning-tree loopbackdetection release-mode Configures loopback release mode for a port IC spanning-tree loopbackdetection trap Enables BPDU loopback SNMP trap notification for a port IC spanning-tree mst cost Configures the path cost of an instance in the MST IC spanning-tree mst portpriority Configures the priority of an instance in the MST IC spanning-tree port-bpduflooding Floods BPDU
Chapter 20 | Spanning Tree Commands Example This example shows how to enable the Spanning Tree Algorithm for the switch: Console(config)#spanning-tree Console(config)# spanning-tree This command configures the spanning tree bridge forward time globally for this forward-time switch. Use the no form to restore the default. Syntax spanning-tree forward-time seconds no spanning-tree forward-time seconds - Time in seconds. (Range: 4 - 30 seconds) The minimum value is the higher of 4 or [(max-age / 2) + 1].
Chapter 20 | Spanning Tree Commands spanning-tree hello- This command configures the spanning tree bridge hello time globally for this time switch. Use the no form to restore the default. Syntax spanning-tree hello-time time no spanning-tree hello-time time - Time in seconds. (Range: 1-10 seconds). The maximum value is the lower of 10 or [(max-age / 2) - 1].
Chapter 20 | Spanning Tree Commands Command Usage This command sets the maximum time (in seconds) a device can wait without receiving a configuration message before attempting to reconverge. All device ports (except for designated ports) should receive configuration messages at regular intervals. Any port that ages out STA information (provided in the last configuration message) becomes the designated port for the attached LAN.
Chapter 20 | Spanning Tree Commands ◆ ◆ Rapid Spanning Tree Protocol RSTP supports connections to either STP or RSTP nodes by monitoring the incoming protocol messages and dynamically adjusting the type of protocol messages the RSTP node transmits, as described below: ■ STP Mode – If the switch receives an 802.1D BPDU after a port’s migration delay timer expires, the switch assumes it is connected to an 802.1D bridge and starts using only 802.1D BPDUs. ■ RSTP Mode – If RSTP is using 802.
Chapter 20 | Spanning Tree Commands Command Mode Global Configuration Command Usage ◆ The path cost method is used to determine the best path between devices. Therefore, lower values should be assigned to ports attached to faster media, and higher values assigned to ports with slower media. Note that path cost (page 529) takes precedence over port priority (page 536). ◆ The path cost methods apply to all spanning tree modes (STP, RSTP and MSTP).
Chapter 20 | Spanning Tree Commands spanning-tree mst This command changes to Multiple Spanning Tree (MST) configuration mode. configuration Syntax spanning-tree mst configuration Default Setting No VLANs are mapped to any MST instance. The region name is set the switch’s MAC address.
Chapter 20 | Spanning Tree Commands Command Usage The spanning-tree system-bpdu-flooding command has no effect if BPDU flooding is disabled on a port (see the spanning-tree port-bpdu-flooding command). Example Console(config)#spanning-tree system-bpdu-flooding to-all Console(config)# spanning-tree This command configures the minimum interval between the transmission of transmission-limit consecutive RSTP/MSTP BPDUs. Use the no form to restore the default.
Chapter 20 | Spanning Tree Commands Command Mode MST Configuration Command Usage An MSTI region is treated as a single node by the STP and RSTP protocols. Therefore, the message age for BPDUs inside an MSTI region is never changed. However, each spanning tree instance within a region, and the internal spanning tree (IST) that connects these instances use a hop count to specify the maximum number of bridges that will propagate a BPDU. Each bridge decrements the hop count by one before passing on the BPDU.
Chapter 20 | Spanning Tree Commands Example Console(config-mstp)#mst 1 priority 4096 Console(config-mstp)# mst vlan This command adds VLANs to a spanning tree instance. Use the no form to remove the specified VLANs. Using the no form without any VLAN parameters to remove all VLANs. Syntax [no] mst instance-id vlan vlan-range instance-id - Instance identifier of the spanning tree. (Range: 0-4094) vlan-range - Range of VLANs.
Chapter 20 | Spanning Tree Commands name This command configures the name for the multiple spanning tree region in which this switch is located. Use the no form to clear the name. Syntax name name no name name - Name of the spanning tree (Range: 1-32 characters). Default Setting Switch’s MAC address Command Mode MST Configuration Command Usage The MST region name and revision number (page 526) are used to designate a unique MST region. A bridge (i.e.
Chapter 20 | Spanning Tree Commands switch) can only belong to one MST region. And all bridges in the same region must be configured with the same MST instances. Example Console(config-mstp)#revision 1 Console(config-mstp)# Related Commands name (526) spanning-tree This command allows you to avoid transmitting BPDUs on configured edge ports bpdu-filter that are connected to end nodes. Use the no form to disable this feature.
Chapter 20 | Spanning Tree Commands spanning-tree This command shuts down an edge port (i.e., an interface set for fast forwarding) if bpdu-guard it receives a BPDU. Use the no form without any keywords to disable this feature, or with a keyword to restore the default settings. Syntax spanning-tree bpdu-guard [auto-recovery [interval interval]] no spanning-tree bpdu-guard [auto-recovery [interval]] auto-recovery - Automatically re-enables an interface after the specified interval.
Chapter 20 | Spanning Tree Commands spanning-tree cost This command configures the spanning tree path cost for the specified interface. Use the no form to restore the default auto-configuration mode. Syntax spanning-tree cost cost no spanning-tree cost cost - The path cost for the port. (Range: 0 for auto-configuration, 1-65535 for short path cost method19, 1-200,000,000 for long path cost method) Table 96: Recommended STA Path Cost Range Port Type Short Path Cost (IEEE 802.1D-1998) Long Path Cost (802.
Chapter 20 | Spanning Tree Commands ◆ Path cost takes precedence over port priority. ◆ When the path cost method (page 520) is set to short, the maximum value for path cost is 65,535. Example Console(config)#interface ethernet 1/5 Console(config-if)#spanning-tree cost 50 Console(config-if)# spanning-tree This command specifies an interface as an edge port. Use the no form to restore the edge-port default.
Chapter 20 | Spanning Tree Commands spanning-tree This command configures the link type for Rapid Spanning Tree and Multiple link-type Spanning Tree. Use the no form to restore the default. Syntax spanning-tree link-type {auto | point-to-point | shared} no spanning-tree link-type auto - Automatically derived from the duplex mode setting. point-to-point - Point-to-point link. shared - Shared medium.
Chapter 20 | Spanning Tree Commands Command Usage ◆ If Port Loopback Detection is not enabled and a port receives it’s own BPDU, then the port will drop the loopback BPDU according to IEEE Standard 802.1W2001 9.3.4 (Note 1). ◆ Port Loopback Detection will not be active if Spanning Tree is disabled on the switch.
Chapter 20 | Spanning Tree Commands spanning-tree This command configures the release mode for a port that was placed in the loopback-detection discarding state because a loopback BPDU was received. Use the no form to restore release-mode the default. Syntax spanning-tree loopback-detection release-mode {auto | manual} no spanning-tree loopback-detection release-mode auto - Allows a port to automatically be released from the discarding state when the loopback state ends.
Chapter 20 | Spanning Tree Commands spanning-tree This command enables SNMP trap notification for Spanning Tree loopback BPDU loopback-detection detections. Use the no form to restore the default.
Chapter 20 | Spanning Tree Commands interfaces attached to faster media, and higher values assigned to interfaces with slower media. ◆ Use the no spanning-tree mst cost command to specify auto-configuration mode. ◆ Path cost takes precedence over interface priority.
Chapter 20 | Spanning Tree Commands Related Commands spanning-tree mst cost (534) spanning-tree port- This command floods BPDUs to other ports when spanning tree is disabled globally bpdu-flooding or disabled on a specific port. Use the no form to restore the default setting.
Chapter 20 | Spanning Tree Commands Command Usage ◆ This command defines the priority for the use of a port in the Spanning Tree Algorithm. If the path cost for all ports on a switch are the same, the port with the highest priority (that is, lowest value) will be configured as an active link in the spanning tree. ◆ Where more than one port is assigned the highest priority, the port with lowest numeric identifier will be enabled.
Chapter 20 | Spanning Tree Commands by taking over as the root port and forming a new spanning tree topology. It could also be used to form a border around part of the network where the root bridge is allowed. ◆ When spanning tree is initialized globally on the switch or on an interface, the switch will wait for 20 seconds to ensure that the spanning tree has converged before enabling Root Guard.
Chapter 20 | Spanning Tree Commands Command Usage When this command is enabled on an interface, topology change information originating from the interface will still be propagated. This command should not be used on an interface which is purposely configured in a ring topology.
Chapter 20 | Spanning Tree Commands spanning-tree This command re-checks the appropriate BPDU format to send on the selected protocol-migration interface. Syntax spanning-tree protocol-migration interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 20 | Spanning Tree Commands show spanning-tree This command shows the configuration for the common spanning tree (CST), for all instances within the multiple spanning tree (MST), or for a specific instance within the multiple spanning tree (MST).
Chapter 20 | Spanning Tree Commands Spanning Tree Enabled/Disabled : Enabled Instance : 0 VLANs Configured : 1-4094 Priority : 32768 Bridge Hello Time (sec.) : 2 Bridge Max. Age (sec.) : 20 Bridge Forward Delay (sec.) : 15 Root Hello Time (sec.) : 2 Root Max. Age (sec.) : 20 Root Forward Delay (sec.) : 15 Max. Hops : 20 Remaining Hops : 20 Designated Root : 32768.0.00E00C0000FD Current Root Port : 0 Current Root Cost : 0 Number of Topology Changes : 6 Last Topology Change Time (sec.
Chapter 20 | Spanning Tree Commands show spanning-tree This command shows the configuration of the multiple spanning tree.
Chapter 20 | Spanning Tree Commands – 544 –
21 ERPS Commands The G.8032 recommendation, also referred to as Ethernet Ring Protection Switching (ERPS), can be used to increase the availability and robustness of Ethernet rings. This chapter describes commands used to configure ERPS.
Chapter 21 | ERPS Commands Table 98: ERPS Commands (Continued) Command Function Mode non-revertive Enables non-revertive mode, which requires the protection state on the RPL to manually cleared ERPS Inst raps-def-mac Sets the switch’s MAC address to be used as the node identifier ERPS Inst in R-APS messages raps-without-vc Terminates the R-APS channel at the primary ring to sub-ring interconnection nodes ERPS Inst version Specifies compatibility with ERPS version 1 or 2 ERPS Inst inclusion-vl
Chapter 21 | ERPS Commands will be unblocked (Protection state) to ensure proper connectivity among all ring nodes until the failure is recovered. 6. Configure ERPS timers: Use the guard-timer command to set the timer is used to prevent ring nodes from receiving outdated R-APS messages, the holdofftimer command to filter out intermittent link faults, and the wtr-timer command to verify that the ring has stabilized before blocking the RPL after recovery from a signal failure. 7.
Chapter 21 | ERPS Commands Example Console(config)#erps Console(config)# Related Commands enable (ring) (552) erps node-id This command sets the MAC address for a ring node. Use the no form to restore the default setting. Syntax erps node-id mac-address no erps node-id mac-address – A MAC address unique to the ring node. The MAC address must be specified in the format xx-xx-xx-xx-xx-xx or xxxxxxxxxxxx.
Chapter 21 | ERPS Commands erps vlan-group This command creates or modifies an ERPS VLAN group. Use the no form of this command to remove VLANs from a VLAN group or to delete a VLAN group. Syntax erps vlan-group vlan-group-name {add|remove} vlan-list no erps vlan-group vlan-group-name vlan-group-name – Name of the VLAN group. (Range: 1-12 characters). add – Adds VLANs to a group. remove – Deletes VLANs from a group.
Chapter 21 | ERPS Commands Command Usage ◆ The switch can support ERPS rings up to half the number of physical ports on the switch. Example Console(config)#erps ring campus1 Console(config-erps-ring)# erps instance This command creates an ERPS instance and enters ERPS instance configuration mode. Use the no form to delete an ERPS instance. Syntax erps instance instance-name [id ring-id] no erps instance instance-name instance-name - Name of a specific ERPS instance.
Chapter 21 | ERPS Commands ring-port This command configures a node’s connection to the ring through the east or west interface. Use the no form to disassociate a node from the ring. Syntax ring-port {east | west} interface interface no ring-port {east | west} east - Connects to next ring node to the east. west - Connects to next ring node to the west. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 21 | ERPS Commands exclusion-vlan Use this command to specify VLAN groups that are to be on the exclusion list of a physical ERPS ring. Use the no form of the command to remove VLAN groups from the list. Syntax [no] inclusion-vlan vlan-group-name vlan-group-name - Name of the VLAN group. (Range: 1-12 characters) Default Setting None Command Mode ERPS Ring Configuration Command Usage ◆ VLANs that are on the exclusion list are not protected by the ERPS ring.
Chapter 21 | ERPS Commands ◆ Once enabled, the RPL owner node and non-owner node state machines will start, and the ring will enter idle state if no signal failures are detected. Example Console(config-erps-ring)#enable Console(config-erps-ring)# Related Commands erps (547) enable (instance) This command activates the current ERPS instance. Use the no form to disable the current instance.
Chapter 21 | ERPS Commands no meg-level level - The maintenance entity group (MEG) level which provides a communication channel for ring automatic protection switching (R-APS) information. (Range: 0-7) Default Setting 1 Command Mode ERPS Instance Configuration Command Usage ◆ This parameter is used to ensure that received R-APS PDUs are directed for this instance. A unique level should be configured for each local instance if there are many R-APS PDUs passing through this switch.
Chapter 21 | ERPS Commands Command Usage ◆ The Control VID must be included in one of inclusion VLAN groups. ◆ Configure one control VLAN for each ERPS instance. First create the VLAN to be used as the control VLAN (vlan, page 587), add the VLAN to an ERPS VLAN group (erps vlan-group), add the ring ports for the east and west interface as tagged members to this VLAN (switchport allowed vlan, page 590), and then use the control-vlan command to add it to the ERPS instance.
Chapter 21 | ERPS Commands Command Mode ERPS Instance Configuration Command Usage ◆ Only one RPL owner can be configured on an instance. The owner blocks traffic on the RPL during Idle state, and unblocks it during Protection state (that is, when a signal fault is detected on the instance or the protection state is enabled with the erps forced-switch or erps manual-switch command). ◆ The east and west connections to the instance must be specified for all ring nodes using the ring-port command.
Chapter 21 | ERPS Commands ◆ Note that is not mandatory to declare an RPL neighbor. Example Console(config-erps-inst)#rpl neighbor Console(config-erps-inst)# wtr-timer This command sets the wait-to-restore timer which is used to verify that the ring has stabilized before blocking the RPL after recovery from a signal failure. Use the no form to restore the default setting.
Chapter 21 | ERPS Commands guard-timer This command sets the guard timer to prevent ring nodes from receiving outdated R-APS messages. Use the no form to restore the default setting. Syntax guard-timer milliseconds no guard-timer milliseconds - The guard timer is used to prevent ring nodes from receiving outdated R-APS messages.
Chapter 21 | ERPS Commands Command Usage In order to coordinate timing of protection switches at multiple layers, a hold-off timer may be required. Its purpose is to allow, for example, a server layer protection switch to have a chance to fix the problem before switching at a client layer. When a new defect or more severe defect occurs (new Signal Failure), this event will not be reported immediately to the protection switching mechanism if the provisioned hold-off timer value is non-zero.
Chapter 21 | ERPS Commands ◆ If CFM determines that a MEP node which has been configured to monitor a ring port with this command has gone down, this information is passed to ERPS, which in turn processes it as a ring node failure. For more information on how ERPS recovers from a node failure, refer to “Ethernet Ring Protection Switching” in the Web Management Guide.
Chapter 21 | ERPS Commands propagate-tc This command enables propagation of topology change messages for a secondary ring to the primary ring. Use the no form to disable this feature. Syntax [no] propagate-tc Default Setting Disabled Command Mode ERPS Instance Configuration Command Usage ◆ When a secondary ring detects a topology change, it can pass a message about this event to the major ring.
Chapter 21 | ERPS Commands Example Console(config-erps-inst)#bpdu-tcn-notify Console(config-erps-inst)# non-revertive This command enables non-revertive mode, which requires the protection state on the RPL to manually cleared. Use the no form to restore the default revertive mode.
Chapter 21 | ERPS Commands b. The WTR timer is cancelled if during the WTR period a higher priority request than NR is accepted by the RPL Owner Node or is declared locally at the RPL Owner Node. c. When the WTR timer expires, without the presence of any other higher priority request, the RPL Owner Node initiates reversion by blocking its traffic channel over the RPL, transmitting an R-APS (NR, RB) message over both ring ports, informing the ring that the RPL is blocked, and performing a flush FDB action.
Chapter 21 | ERPS Commands ■ Recovery with revertive mode is handled in the following way: a. The reception of an R-APS (NR) message causes the RPL Owner Node to start the WTB timer. b. The WTB timer is canceled if during the WTB period a higher priority request than NR is accepted by the RPL Owner Node or is declared locally at the RPL Owner Node. c.
Chapter 21 | ERPS Commands If the ring node where the Manual Switch was cleared receives an R-APS (NR) message with a Node ID higher than its own Node ID, it unblocks any ring port which does not have an SF condition and stops transmitting R-APS (NR) message on both ring ports. ■ Recovery with revertive mode is handled in the following way: a.
Chapter 21 | ERPS Commands raps-def-mac This command sets the switch’s MAC address to be used as the node identifier in RAPS messages. Use the no form to use the node identifier specified in the G8032 standards. Syntax [no] raps-def-mac Default Setting Enabled Command Mode ERPS Instance Configuration Command Usage ◆ When ring nodes running ERPSv1 and ERPSv2 co-exist on the same ring, the Ring ID of each ring node must be configured as “1”.
Chapter 21 | ERPS Commands ◆ Sub-ring with R-APS Virtual Channel – When using a virtual channel to tunnel R-APS messages between interconnection points on a sub-ring, the R-APS virtual channel may or may not follow the same path as the traffic channel over the network. R-APS messages that are forwarded over the sub-ring’s virtual channel are broadcast or multicast over the interconnected network.
Chapter 21 | ERPS Commands Figure 4: Sub-ring without Virtual Channel RPL Port Interconnection Node Sub-ring with Virtual Channel Ring Node Major Ring Example Console(config-erps-inst)#raps-without-vc Console(config-erps-inst)# version This command specifies compatibility with ERPS version 1 or 2. Syntax version {1 | 2} no version 1 - ERPS version 1 based on ITU-T G.8032/Y.1344. 2 - ERPS version 2 based on ITU-T G.8032/Y.1344 Version 2.
Chapter 21 | ERPS Commands ◆ The version number is automatically set to “1” when a ring node, supporting only the functionalities of G.8032v1, exists on the same ring with other nodes that support G.8032v2. ◆ When ring nodes running G.8032v1 and G.8032v2 co-exist on a ring, the ring ID of each node is configured as “1”. ◆ In version 1, the MAC address 01-19-A7-00-00-01 is used for the node identifier. The raps-def-mac command has no effect.
Chapter 21 | ERPS Commands physical-ring Use this command to associate an ERPS instance with an existing physical ring. Use the no form of the command to removed the association. Syntax physical-ring ring-name no physical-ring ring-name - Name of a specific ERPS ring. (Range: 1-12 characters) Default Setting None Command Mode ERPS Instance Configuration Command Usage The physical ring name must first be defined using the erps ring command.
Chapter 21 | ERPS Commands continuously transmitted by this ring node while the local FS command is the ring node’s highest priority command (see Table 99 on page 571). The R-APS (FS) message informs other ring nodes of the FS command and that the traffic channel is blocked on one ring port. c. A ring node accepting an R-APS (FS) message, without any local higher priority requests unblocks any blocked ring port. This action subsequently unblocks the traffic channel over the RPL. d.
Chapter 21 | ERPS Commands Table 99: ERPS Request/State Priority (Continued) Request / State and Status Type WTB Expires local | WTB Running local | R-APS (NR, RB) remote | R-APS (NR) remote * Priority lowest If an Ethernet Ring Node is in the Forced Switch state, local SF is ignored. ◆ Recovery for forced switching under revertive and non-revertive mode is described under the Command Usage section for the non-revertive command.
Chapter 21 | ERPS Commands a. If no other higher priority commands exist, the ring node, where a manual switch command was issued, blocks the traffic channel and R-APS channel on the ring port to which the command was issued, and unblocks the other ring port. b. If no other higher priority commands exist, the ring node where the manual switch command was issued transmits R-APS messages over both ring ports indicating MS.
Chapter 21 | ERPS Commands Example Console#erps manual-switch instance r&d west Console# erps clear This command manually clears the protection state which has been invoked by a forced switch or manual switch command, and the node is operating under nonrevertive mode; or before the WTR or WTB timer expires when the node is operating in revertive mode. Syntax erps clear instance instance-name instance-name - Name of a specific ERPS instance.
Chapter 21 | ERPS Commands Command Mode Privileged Exec Example Console#clear erps statistics instance r&d Console# show erps statistics This command displays statistics information for all configured instances, or for a specified instance. Syntax show erps statistics [instance instance-name]] instance-name - Name of a specific ERPS instance. (Range: 1-12 characters) Command Mode Privileged Exec Example This example displays statistics for all configured ERPS instances.
Chapter 21 | ERPS Commands Table 100: show erps statistics - detailed display description Field Description Interface The direction, and port or trunk which is configured as a ring port. Local SF A signal fault generated on a link to the local node.
Chapter 21 | ERPS Commands Console# This example displays a summary of all the ERPS rings configured on the switch. Console#show erps ring ERPS Status : Enabled ERPS node-id : B8-6A-97-41-F3-83 Number of ERPS Ring : 2 Ring ID Enabled West I/F EAST I/F ------------ --- ------- --------- --------test1 1 No campus1 2 Yes Eth 1/1 Eth 1/3 Console# Table 101: show erps r ing - summary display description Field Description ERPS Status Shows whether ERPS is enabled on the switch.
Chapter 21 | ERPS Commands This example displays a summary of all the ERPS instances configured on the switch.
22 VLAN Commands A VLAN is a group of ports that can be located anywhere in the network, but communicate as though they belong to the same physical segment. This section describes commands used to create VLAN groups, add port members, specify how VLAN tagging is used, and enable automatic VLAN registration for the selected interface.
Chapter 22 | VLAN Commands GVRP and Bridge Extension Commands GVRP and Bridge Extension Commands GARP VLAN Registration Protocol defines a way for switches to exchange VLAN information in order to automatically register VLAN members on interfaces across the network. This section describes how to enable GVRP for individual interfaces and globally for the switch, as well as how to display default configuration settings for the Bridge Extension MIB.
Chapter 22 | VLAN Commands GVRP and Bridge Extension Commands garp timer This command sets the values for the join, leave and leaveall timers. Use the no form to restore the timers’ default values. Syntax garp timer {join | leave | leaveall} timer-value no garp timer {join | leave | leaveall} {join | leave | leaveall} - Timer to set. timer-value - Value of timer.
Chapter 22 | VLAN Commands GVRP and Bridge Extension Commands switchport forbidden This command configures forbidden VLANs. Use the no form to remove the list of vlan forbidden VLANs. Syntax switchport forbidden vlan {add vlan-list | remove vlan-list} no switchport forbidden vlan add vlan-list - List of VLAN identifiers to add. remove vlan-list - List of VLAN identifiers to remove. vlan-list - Separate nonconsecutive VLAN identifiers with a comma and no spaces; use a hyphen to designate a range of IDs.
Chapter 22 | VLAN Commands GVRP and Bridge Extension Commands Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage GVRP cannot be enabled for ports set to Access mode using the switchport mode command. Example Console(config)#interface ethernet 1/1 Console(config-if)#switchport gvrp Console(config-if)# show bridge-ext This command shows the configuration for bridge extension commands.
Chapter 22 | VLAN Commands GVRP and Bridge Extension Commands Table 104: show bridge-ext - display description (Continued) Field Description Configurable PVID Tagging This switch allows you to override the default Port VLAN ID (PVID used in frame tags) and egress status (VLAN-Tagged or Untagged) on each port. (Refer to the switchport allowed vlan command.) Local VLAN Capable This switch does not support multiple local bridges outside of the scope of 802.1Q defined VLANs.
Chapter 22 | VLAN Commands GVRP and Bridge Extension Commands show gvrp This command shows if GVRP is enabled. configuration Syntax show gvrp configuration [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28) port-channel channel-id (Range: 1-26) Default Setting Shows both global and interface-specific configuration.
Chapter 22 | VLAN Commands Editing VLAN Groups Editing VLAN Groups Table 105: Commands for Editing VLAN Groups Command Function Mode vlan database Enters VLAN database mode to add, change, and delete VLANs GC vlan Configures a VLAN, including VID, name and state VC vlan database This command enters VLAN database mode. All commands in this mode will take effect immediately.
Chapter 22 | VLAN Commands Editing VLAN Groups vlan This command configures a VLAN. Use the no form to restore the default settings or delete a VLAN. Syntax vlan vlan-id [name vlan-name] media ethernet [state {active | suspend}] [rspan] no vlan vlan-id [name | state] vlan-id - VLAN ID, specified as a single number, a range of consecutive numbers separated by a hyphen, or multiple numbers separated by commas. (Range: 1-4094) name - Keyword to be followed by the VLAN name.
Chapter 22 | VLAN Commands Configuring VLAN Interfaces Related Commands show vlan (595) Configuring VLAN Interfaces Table 106: Commands for Configuring VLAN Interfaces Command Function Mode interface vlan Enters interface configuration mode for a specified VLAN IC switchport acceptableframe-types Configures frame types to be accepted by an interface IC switchport allowed vlan Configures the VLANs associated with an interface IC switchport forbidden vlan Configures forbidden VLANs for an inter
Chapter 22 | VLAN Commands Configuring VLAN Interfaces Related Commands shutdown (415) interface (409) vlan (587) switchport This command configures the acceptable frame types for a port. Use the no form to acceptable-frame- restore the default. types Syntax switchport acceptable-frame-types {all | tagged} no switchport acceptable-frame-types all - The port accepts all frames, tagged or untagged. tagged - The port only receives tagged frames.
Chapter 22 | VLAN Commands Configuring VLAN Interfaces switchport allowed This command configures VLAN groups on the selected interface. Use the no form vlan to restore the default. Syntax switchport allowed vlan {vlan-list | add vlan-list [tagged | untagged] | remove vlan-list} no switchport allowed vlan vlan-list - If a VLAN list is entered without using the add option, the interface is assigned to the specified VLANs, and membership in all previous VLANs is removed.
Chapter 22 | VLAN Commands Configuring VLAN Interfaces ◆ If a VLAN on the forbidden list for an interface is manually added to that interface, the VLAN is automatically removed from the forbidden list for that interface.
Chapter 22 | VLAN Commands Configuring VLAN Interfaces switchport mode This command configures the VLAN membership mode for a port. Use the no form to restore the default. Syntax switchport mode {access | hybrid | trunk} no switchport mode access - Specifies an access VLAN interface. The port transmits and receives untagged frames on a single VLAN only. hybrid - Specifies a hybrid VLAN interface. The port may transmit tagged or untagged frames. trunk - Specifies a port as an end-point for a VLAN trunk.
Chapter 22 | VLAN Commands Configuring VLAN Interfaces switchport native vlan This command configures the PVID (i.e., default VLAN ID) for a port. Use the no form to restore the default. Syntax switchport native vlan vlan-id no switchport native vlan vlan-id - Default VLAN ID for a port.
Chapter 22 | VLAN Commands Configuring VLAN Interfaces The following figure shows VLANs 1 and 2 configured on switches A and B, with VLAN trunking being used to pass traffic for these VLAN groups across switches C, D and E. Figure 5: Configuring VLAN Trunking Without VLAN trunking, you would have to configure VLANs 1 and 2 on all intermediate switches – C, D and E; otherwise these switches would drop any frames with unknown VLAN group tags.
Chapter 22 | VLAN Commands Displaying VLAN Information Displaying VLAN Information This section describes commands used to display VLAN information. Table 107: Commands for Displaying VLAN Information Command Function Mode show interfaces status vlan Displays status for the specified VLAN interface NE, PE show interfaces switchport Displays the administrative and operational status of an interface NE, PE show vlan NE, PE Shows VLAN information show vlan This command shows VLAN information.
Chapter 22 | VLAN Commands Configuring IEEE 802.1Q Tunneling Configuring IEEE 802.1Q Tunneling IEEE 802.1Q tunneling (QinQ tunneling) uses a single Service Provider VLAN (SPVLAN) for customers who have multiple VLANs. Customer VLAN IDs are preserved and traffic from different customers is segregated within the service provider’s network even when they use the same customer-specific VLAN IDs.
Chapter 22 | VLAN Commands Configuring IEEE 802.1Q Tunneling 7. Configure the QinQ tunnel uplink port to dot1Q-tunnel uplink mode (dot1qtunnel tpid). 8. Configure the QinQ tunnel uplink port to join the SPVLAN as a tagged member (switchport allowed vlan). Limitations for QinQ ◆ The native VLAN for the tunnel uplink ports and tunnel access ports cannot be the same. However, the same service VLANs can be set on both tunnel port types. ◆ IGMP Snooping should not be enabled on a tunnel access port.
Chapter 22 | VLAN Commands Configuring IEEE 802.1Q Tunneling Syntax [no] dot1q-tunnel tpid ethertype ethertype – A specific Ethernet protocol number. (Range: 800-ffff hex) Default Setting The ethertype is set to 0x8100 Command Mode Global Configuration Command Usage Use the dot1q-tunnel tpid command to set the global custom 802.1Q ethertype. This feature allows the switch to interoperate with third-party switches that do not use the standard 0x8100 ethertype to identify 802.1Q-tagged frames.
Chapter 22 | VLAN Commands Configuring IEEE 802.1Q Tunneling switchport This command configures an interface as a QinQ tunnel port. Use the no form to dot1q-tunnel mode disable QinQ on the interface. Syntax switchport dot1q-tunnel mode {access | uplink} no switchport dot1q-tunnel mode access – Sets the port as an 802.1Q tunnel access port. uplink – Sets the port as an 802.1Q tunnel uplink port.
Chapter 22 | VLAN Commands Configuring IEEE 802.1Q Tunneling switchport This command copies the inner tag 802.1p value to the outer tag 802.1p value. Use dot1q-tunnel the no form of this command to use port default priority. priority map Syntax [no] switchport dot1q-tunnel priority map Default Setting Disabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage The command is configured on a QinQ access port to take packet tag's 1p value as ingress priority for the S-VLAN.
Chapter 22 | VLAN Commands Configuring IEEE 802.1Q Tunneling VLAN that will carry this traffic across the 802.1Q tunnel. This process is performed in a transparent manner. ◆ When priority bits are found in the inner tag, these are also copied to the outer tag. This allows the service provider to differentiate service based on the indicated priority and appropriate methods of queue management at intermediate nodes across the tunnel.
Chapter 22 | VLAN Commands Configuring IEEE 802.1Q Tunneling 2. Enable QinQ. Console(config)#dot1q-tunnel system-tunnel-control 3. Configure port 2 as a tagged member of VLANs 100, 200 and 300 using uplink mode. Console(config)#interface ethernet 1/2 Console(config-if)#switchport allowed vlan add 100,200,300 tagged Console(config-if)#switchport dot1q-tunnel mode uplink 4. Configures port 1 as an untagged member of VLANs 100, 200 and 300 using access mode.
Chapter 22 | VLAN Commands Configuring IEEE 802.1Q Tunneling switchport This command specifies the default service to apply. Use the no to set the default dot1q-tunnel service to the default setting. service default match all Syntax switchport dot1q-tunnel service default match all {remove-ctag | discard} no switchport dot1q-tunnel service default match all remove-ctag - Removes the customer’s VLAN tag. discard- Discards the packet.
Chapter 22 | VLAN Commands Configuring IEEE 802.1Q Tunneling show dot1q-tunnel This command displays information about QinQ tunnel ports. Syntax show dot1q-tunnel [interface interface [service svid] | service [svid]] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28) port-channel channel-id (Range: 1-26) svid - VLAN ID for the outer VLAN tag (SPVID).
Chapter 22 | VLAN Commands Configuring L2PT Tunneling Configuring L2PT Tunneling This section describes the commands used to configure Layer 2 Protocol Tunneling (L2PT).
Chapter 22 | VLAN Commands Configuring L2PT Tunneling switches carrying this traffic across the service provider’s network treat these encapsulated packets in the same way as normal data, forwarding them across to the tunnel’s egress port. The egress port decapsulates these packets, restores the proper protocol and MAC address information, and then floods them onto the same VLANs at the customer’s remote site (via all of the appropriate tunnel ports and access ports21 connected to the same metro VLAN).
Chapter 22 | VLAN Commands Configuring L2PT Tunneling ■ ◆ ■ other access ports for which L2PT is enabled after decapsulating the packet and restoring the proper protocol and MAC address information. ■ all uplink ports. When a Cisco-compatible L2PT packet is received on an access port, and ■ ■ ◆ recognized as a Generic Bridge PDU Tunneling (GBPT) protocol packet (i.e.
Chapter 22 | VLAN Commands Configuring L2PT Tunneling pvst+ - Cisco Per VLAN Spanning Tree Plus spanning-tree - Spanning Tree (STP, RSTP, MSTP) vtp - Cisco VLAN Trunking Protocol Default Setting Disabled for all protocols Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ Refer to the Command Usage section for the l2protocol-tunnel tunnel-dmac command.
Chapter 22 | VLAN Commands Configuring VLAN Translation Configuring VLAN Translation QinQ tunneling uses double tagging to preserve the customer’s VLAN tags on traffic crossing the service provider’s network.
Chapter 22 | VLAN Commands Configuring VLAN Translation VLAN 10 for downstream traffic leaving port 1, then the VLAN IDs will be swapped as shown below. Figure 7: Configuring VLAN Translation (VLAN 10) (VLAN 100) downstream (VLAN 100) 1 upstream 2 (VLAN 10) ◆ The maximum number of VLAN translation entries is 8 per port, and up to 96 for the system.
Chapter 22 | VLAN Commands Configuring Protocol-based VLANs show vlan-translation This command displays the configuration settings for VLAN translation. Syntax show vlan-translation [interface interface] interface ethernet unit/port unit - Stack unit. (Range: 1) port - Port number.
Chapter 22 | VLAN Commands Configuring Protocol-based VLANs To configure protocol-based VLANs, follow these steps: 1. First configure VLAN groups for the protocols you want to use (page 587). Although not mandatory, we suggest configuring a separate VLAN for each major protocol running on your network. Do not add port members at this time. 2. Create a protocol group for each of the protocols you want to assign to a VLAN using the protocol-vlan protocol-group command (Global Configuration mode). 3.
Chapter 22 | VLAN Commands Configuring Protocol-based VLANs protocol-vlan This command maps a protocol group to a VLAN for the current interface. Use the protocol-group no form to remove the protocol mapping for this interface. (Configuring Interfaces) Syntax protocol-vlan protocol-group group-id vlan vlan-id no protocol-vlan protocol-group group-id vlan group-id - Group identifier of this protocol group. (Range: 1-2147483647) vlan-id - VLAN to which matching protocol traffic is forwarded.
Chapter 22 | VLAN Commands Configuring Protocol-based VLANs show protocol-vlan This command shows the frame and protocol type associated with protocol groups. protocol-group Syntax show protocol-vlan protocol-group [group-id] group-id - Group identifier for a protocol group. (Range: 1-2147483647) Default Setting All protocol groups are displayed.
Chapter 22 | VLAN Commands Configuring IP Subnet VLANs Example This shows that traffic entering Port 1 that matches the specifications for protocol group 1 will be mapped to VLAN 2: Console#show interfaces protocol-vlan protocol-group Port Protocol Group ID VLAN ID -------- ----------------- ------Eth 1/ 2 1 1 Console# Configuring IP Subnet VLANs When using IEEE 802.
Chapter 22 | VLAN Commands Configuring IP Subnet VLANs Default Setting Priority: 0 Command Mode Global Configuration Command Usage ◆ Each IP subnet can be mapped to only one VLAN ID. An IP subnet consists of an IP address and a subnet mask. The specified VLAN need not be an existing VLAN. ◆ When an untagged frame is received by a port, the source IP address is checked against the IP subnet-to-VLAN mapping table, and if an entry is found, the corresponding VLAN ID is assigned to the frame.
Chapter 22 | VLAN Commands Configuring MAC Based VLANs 192.168.12.224 192.168.12.240 192.168.12.248 192.168.12.252 192.168.12.254 192.168.12.255 Console# 255.255.255.240 255.255.255.248 255.255.255.252 255.255.255.254 255.255.255.255 255.255.255.255 5 6 7 8 9 10 0 0 0 0 0 0 Configuring MAC Based VLANs When using IEEE 802.1Q port-based VLAN classification, all untagged frames received by a port are classified as belonging to the VLAN whose VID (PVID) is associated with that port.
Chapter 22 | VLAN Commands Configuring MAC Based VLANs Command Mode Global Configuration Command Usage ◆ The MAC-to-VLAN mapping applies to all ports on the switch. ◆ Source MAC addresses can be mapped to only one VLAN ID. ◆ Configured MAC addresses cannot be broadcast or multicast addresses. ◆ When MAC-based, IP subnet-based, and protocol-based VLANs are supported concurrently, priority is applied in this sequence, and then port-based VLANs last.
Chapter 22 | VLAN Commands Configuring Voice VLANs Configuring Voice VLANs The switch allows you to specify a Voice VLAN for the network and set a CoS priority for the VoIP traffic. VoIP traffic can be detected on switch ports by using the source MAC address of packets, or by using LLDP (IEEE 802.1AB) to discover connected VoIP devices. When VoIP traffic is detected on a configured port, the switch automatically assigns the port to the Voice VLAN. Alternatively, switch ports can be manually configured.
Chapter 22 | VLAN Commands Configuring Voice VLANs ◆ VoIP traffic can be detected on switch ports by using the source MAC address of packets, or by using LLDP (IEEE 802.1AB) to discover connected VoIP devices. When VoIP traffic is detected on a configured port, the switch automatically assigns the port as a tagged member of the Voice VLAN. ◆ Only one Voice VLAN is supported and it must already be created on the switch before it can be specified as the Voice VLAN.
Chapter 22 | VLAN Commands Configuring Voice VLANs Note that when the switchport voice vlan command is set to auto mode, the remaining aging time displayed by the show voice vlan command will be displayed. Otherwise, if the switchport voice vlan command is disabled or set to manual mode, the remaining aging time will display “NA.” Example The following example configures the Voice VLAN aging time as 3000 minutes.
Chapter 22 | VLAN Commands Configuring Voice VLANs Example The following example adds a MAC OUI to the OUI Telephony list. Console(config)#voice vlan mac-address 00-12-34-56-78-90 mask ff-ff-ff-00-0000 description "a new phone" Console(config)# switchport voice vlan This command specifies the Voice VLAN mode for ports. Use the no form to disable the Voice VLAN feature on the port.
Chapter 22 | VLAN Commands Configuring Voice VLANs switchport voice vlan This command specifies a CoS priority for VoIP traffic on a port. Use the no form to priority restore the default priority on a port. Syntax switchport voice vlan priority priority-value no switchport voice vlan priority priority-value - The CoS priority value. (Range: 0-6) Default Setting 6 Command Mode Interface Configuration Command Usage Specifies a CoS priority to apply to the port VoIP traffic on the Voice VLAN.
Chapter 22 | VLAN Commands Configuring Voice VLANs Command Usage ◆ When OUI is selected, be sure to configure the MAC address ranges in the Telephony OUI list (see the voice vlan mac-address command. MAC address OUI numbers must be configured in the Telephony OUI list so that the switch recognizes the traffic as being from a VoIP device. ◆ LLDP checks that the “telephone bit” in the system capability TLV is turned on. See “LLDP Commands” on page 773 for more information on LLDP.
Chapter 22 | VLAN Commands Configuring Voice VLANs show voice vlan This command displays the Voice VLAN settings on the switch and the OUI Telephony list. Syntax show voice vlan {oui | status} oui - Displays the OUI Telephony list. status - Displays the global and port Voice VLAN settings.
Chapter 22 | VLAN Commands Configuring Voice VLANs – 626 –
23 Class of Service Commands The commands described in this section allow you to specify which data packets have greater precedence when traffic is buffered in the switch due to congestion. This switch supports CoS with eight priority queues for each port. Data packets in a port’s high-priority queue will be transmitted before those in the lower-priority queues.
Chapter 23 | Class of Service Commands Priority Commands (Layer 2) queue mode This command sets the scheduling mode used for processing each of the class of service (CoS) priority queues. The options include strict priority, Weighted RoundRobin (WRR), or a combination of strict and weighted queuing. Use the no form to restore the default value.
Chapter 23 | Class of Service Commands Priority Commands (Layer 2) ◆ Service time is shared at the egress ports by defining scheduling weights for WRR, or for the queuing mode that uses a combination of strict and weighted queuing. Service time is allocated to each queue by calculating a precise number of bytes per second that will be serviced on each round. ◆ The specified queue mode applies to all interfaces.
Chapter 23 | Class of Service Commands Priority Commands (Layer 2) Example The following example shows how to assign round-robin weights of 1 - 4 to the CoS priority queues 0 - 7. Console(config)#queue weight 1 2 3 4 5 6 7 8 Console(config)# Related Commands queue mode (628) show queue weight (631) switchport priority This command sets a priority for incoming untagged frames. Use the no form to default restore the default value.
Chapter 23 | Class of Service Commands Priority Commands (Layer 2) Example The following example shows how to set a default priority on port 3 to 5: Console(config)#interface ethernet 1/3 Console(config-if)#switchport priority default 5 Console(config-if)# Related Commands show interfaces switchport (429) show queue mode This command shows the current queue mode. Syntax show queue mode [ethernet unit/port] ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 23 | Class of Service Commands Priority Commands (Layer 3 and 4) Command Mode Privileged Exec Example Console#show queue weight Information of Eth 1/1 Queue ID Weight -------- -----0 1 1 2 2 4 3 6 4 8 5 10 6 12 7 14 . . . Priority Commands (Layer 3 and 4) This section describes commands used to configure Layer 3 and 4 traffic priority mapping on the switch.
Chapter 23 | Class of Service Commands Priority Commands (Layer 3 and 4) Table 117: Priority Commands (Layer 3 and 4) Command Function Mode show qos map dscp-mutation Shows ingress DSCP to internal DSCP map PE show qos map ip-port-dscp Shows destination TCP/UDP port to internal DSCP map PE show qos map ip-prec-dscp Shows ingress IP Precedence to internal DSCP map PE show qos map phb-queue Shows internal per-hop behavior to hardware queue map PE show qos map trust-mode Shows the QoS mapping mo
Chapter 23 | Class of Service Commands Priority Commands (Layer 3 and 4) qos map cos-dscp This command maps CoS/CFI values in incoming packets to per-hop behavior and drop precedence values for priority processing. Use the no form to restore the default settings. Syntax qos map cos-dscp phb drop-precedence from cos0 cfi0...cos7 cfi7 no qos map cos-dscp cos0 cfi0...cos7 cfi7 phb - Per-hop behavior, or the priority used for this router hop.
Chapter 23 | Class of Service Commands Priority Commands (Layer 3 and 4) drop precedence values for internal processing. Note that priority tags in the original packet are not modified by this command. ◆ The internal DSCP consists of three bits for per-hop behavior (PHB) which determines the queue to which a packet is sent; and two bits for drop precedence (namely color) which is used to control traffic congestion. ◆ The specified mapping applies to all interfaces.
Chapter 23 | Class of Service Commands Priority Commands (Layer 3 and 4) Console(config-if)#qos map default-drop-precedence 3 from 3 4 5 Console(config-if)#qos map default-drop-precedence 0 from 6 7 Console(config-if)# qos map dscp-cos This command maps internal per-hop behavior and drop precedence value pairs to CoS/CFI values used in tagged egress packets on a Layer 2 interface. Use the no form to restore the default settings. Syntax qos map dscp-cos cos-value cfi-value from phb0 drop-precedence0 ...
Chapter 23 | Class of Service Commands Priority Commands (Layer 3 and 4) ◆ If the packet is forwarded with an 8021.Q tag, the priority value in the egress packet is modified based on the table shown above, or on similar values as modified by this command.
Chapter 23 | Class of Service Commands Priority Commands (Layer 3 and 4) Command Usage ◆ Enter a value pair for the internal per-hop behavior and drop precedence, followed by the keyword “from” and then up to eight DSCP values separated by spaces. ◆ This map is only used when the QoS mapping mode is set to “DSCP” by the qos map trust-mode command, and the ingress packet type is IPv4.
Chapter 23 | Class of Service Commands Priority Commands (Layer 3 and 4) Command Usage ◆ This mapping table is only used if the protocol type of the arriving packet is TCP or UDP. Example Console(config)#interface ethernet 1/5 Console(config-if)#qos map ip-port-dscp tcp 21 to 1 0 Console(config-if)# qos map ip-prec-dscp This command maps IP precedence values in incoming packets to per-hop behavior and drop precedence values for priority processing. Use the no form to restore the default settings.
Chapter 23 | Class of Service Commands Priority Commands (Layer 3 and 4) qos map trust-mode This command sets QoS mapping to DSCP or CoS. Use the no form to restore the default setting. Syntax qos map trust-mode {cos | dscp | ip-prec} no qos map trust-mode cos - Sets the QoS mapping mode to CoS. dscp - Sets the QoS mapping mode to DSCP. ip-prec - Sets the QoS mapping mode to IP Precedence.
Chapter 23 | Class of Service Commands Priority Commands (Layer 3 and 4) show qos map This command shows ingress CoS/CFI to internal DSCP map. cos-dscp Syntax show qos map cos-dscp interface interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28) port-channel channel-id (Range: 1-26) Command Mode Privileged Exec Example Console#show qos map cos-dscp interface ethernet 1/5 CoS Information of Eth 1/5 CoS-DSCP map.
Chapter 23 | Class of Service Commands Priority Commands (Layer 3 and 4) Example Console#show qos map default-drop-precedence interface ethernet 1/5 Information of Eth 1/5 default-drop-precedence map: phb: 0 1 2 3 4 5 6 7 ------------------------------------------------------color: 0 0 0 0 0 0 0 0 Console# show map dscp-cos This command shows the internal DSCP to egress CoS map, which converts internal PHB/Drop Precedence to CoS values.
Chapter 23 | Class of Service Commands Priority Commands (Layer 3 and 4) show qos map This command shows the ingress DSCP to internal DSCP map. dscp-mutation Syntax show qos map dscp-mutation interface interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 23 | Class of Service Commands Priority Commands (Layer 3 and 4) Command Mode Privileged Exec Command Usage The IP Port-to-DSCP mapping table is only used if the protocol type of the arriving packet is TCP or UDP.
Chapter 23 | Class of Service Commands Priority Commands (Layer 3 and 4) show qos map This command shows internal per-hop behavior to hardware queue map. phb-queue Syntax show qos map phb-queue interface interface interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 23 | Class of Service Commands Priority Commands (Layer 3 and 4) – 646 –
24 Quality of Service Commands The commands described in this section are used to configure Differentiated Services (DiffServ) classification criteria and service policies. You can classify traffic based on access lists, IP Precedence or DSCP values, or VLANs. Using access lists allows you select traffic based on Layer 2, Layer 3, or Layer 4 information contained in each packet.
Chapter 24 | Quality of Service Commands To create a service policy for a specific category of ingress traffic, follow these steps: 1. Use the class-map command to designate a class name for a specific category of traffic, and enter the Class Map configuration mode. 2. Use the match command to select a specific type of traffic based on an access list, an IPv4 DSCP value, IPv4 Precedence value, a VLAN, or a CoS value. 3.
Chapter 24 | Quality of Service Commands Command Usage ◆ First enter this command to designate a class map and enter the Class Map configuration mode. Then use match commands to specify the criteria for ingress traffic that will be classified under this class map. ◆ One or more class maps can be assigned to a policy map (page 651). The policy map is then bound by a service policy to an interface (page 662). A service policy defines packet classification, service tagging, and bandwidth policing.
Chapter 24 | Quality of Service Commands match This command defines the criteria used to classify traffic. Use the no form to delete the matching criteria. Syntax [no] match {access-list acl-name | cos cos | ip dscp dscp | ip precedence ip-precedence | vlan vlan} acl-name - Name of the access control list. Any type of ACL can be specified, including standard or extended IP ACLs and MAC ACLs. (Range: 1-16 characters) cos - A Class of Service value.
Chapter 24 | Quality of Service Commands This example creates a class map call “rd-class#2,” and sets it to match packets marked for IP Precedence service value 5. Console(config)#class-map rd-class#2 match-any Console(config-cmap)#match ip precedence 5 Console(config-cmap)# This example creates a class map call “rd-class#3,” and sets it to match packets marked for VLAN 1.
Chapter 24 | Quality of Service Commands Command Usage ◆ Use the policy-map command to specify the name of the policy map, and then use the class command to configure policies for traffic that matches the criteria defined in a class map. ◆ A policy map can contain multiple class statements that can be applied to the same interface with the service-policy command. ◆ Create a Class Map (page 651) before assigning it to a Policy Map.
Chapter 24 | Quality of Service Commands ◆ ■ set cos command sets the class of service value in matching packets. (This modifies packet priority in the VLAN tag.) ■ police commands define parameters such as the maximum throughput, burst rate, and response to non-conforming traffic. Up to 16 classes can be included in a policy map.
Chapter 24 | Quality of Service Commands Command Mode Policy Map Class Configuration Command Usage ◆ You can configure up to 16 policers (i.e., class maps) for ingress ports. ◆ Policing is based on a token bucket, where bucket depth (i.e., the maximum burst before the bucket overflows) is by specified the committed-burst field, and the average rate tokens are added to the bucket is by specified by the committed-rate option.
Chapter 24 | Quality of Service Commands police srtcm-color This command defines an enforcer for classified traffic based on a single rate three color meter (srTCM). Use the no form to remove a policer. Syntax [no] police {srtcm-color-blind | srtcm-color-aware} committed-rate committed-burst excess-burst conform-action {transmit | new-dscp} exceed-action {drop | new-dscp} violate action {drop | new-dscp} srtcm-color-blind - Single rate three color meter in color-blind mode.
Chapter 24 | Quality of Service Commands ◆ The meter operates in one of two modes. In the color-blind mode, the meter assumes that the packet stream is uncolored. In color-aware mode the meter assumes that some preceding entity has pre-colored the incoming packet stream so that each packet is either green, yellow, or red. The marker (re)colors an IP packet according to the results of the meter. The color is coded in the DS field [RFC 2474] of the packet.
Chapter 24 | Quality of Service Commands Console(config)#policy-map rd-policy Console(config-pmap)#class rd-class Console(config-pmap-c)#set phb 3 Console(config-pmap-c)#police srtcm-color-blind 100000 4000 6000 conformaction transmit exceed-action 0 violate-action drop Console(config-pmap-c)# police trtcm-color This command defines an enforcer for classified traffic based on a two rate three color meter (trTCM). Use the no form to remove a policer.
Chapter 24 | Quality of Service Commands Command Usage ◆ You can configure up to 16 policers (i.e., class maps) for ingress ports. ◆ The trTCM as defined in RFC 2698 meters a traffic stream and processes its packets based on two rates – Committed Information Rate (CIR) and Peak Information Rate (PIR), and their associated burst sizes - Committed Burst Size (BC) and Peak Burst Size (BP).
Chapter 24 | Quality of Service Commands which are green, yellow, or red. Refer to RFC 2698 for more information on other aspects of trTCM.
Chapter 24 | Quality of Service Commands Example This example creates a policy called “rd-policy,” uses the class command to specify the previously defined “rd-class,” uses the set cos command to classify the service that incoming packets will receive, and then uses the police flow command to limit the average bandwidth to 100,000 Kbps, the burst rate to 4000 bytes, and configure the response to drop any violating packets.
Chapter 24 | Quality of Service Commands set phb This command services IP traffic by setting a per-hop behavior value for a matching packet (as specified by the match command) for internal processing. Use the no form to remove this setting. Syntax [no] set phb phb-value phb-value - Per-hop behavior value.
Chapter 24 | Quality of Service Commands service-policy This command applies a policy map defined by the policy-map command to the ingress side of a particular interface. Use the no form to remove this mapping. Syntax [no] service-policy input policy-map-name input - Apply to the input traffic. policy-map-name - Name of the policy map for this interface. (Range: 1-32 characters) Default Setting No policy map is attached to an interface.
Chapter 24 | Quality of Service Commands Example Console#show class-map Class Map match-any rd-class#1 Description: Match IP DSCP 10 Match access-list rd-access Match IP DSCP 0 Class Map match-any rd-class#2 Match IP Precedence 5 Class Map match-any rd-class#3 Match VLAN 1 Console# show policy-map This command displays the QoS policy maps which define classification criteria for incoming traffic, and may include policers for bandwidth limitations.
Chapter 24 | Quality of Service Commands show policy-map This command displays the service policy assigned to the specified interface. interface Syntax show policy-map interface interface input interface unit/port unit - Unit identifier. (Range: 1) port - Port number.
25 Multicast Filtering Commands This switch uses IGMP (Internet Group Management Protocol) to check for any attached hosts that want to receive a specific multicast service. It identifies the ports containing hosts requesting a service and sends data out to those ports only. It then propagates the service request up to any neighboring multicast switch/ router to ensure that it will continue to receive the multicast service.
Chapter 25 | Multicast Filtering Commands IGMP Snooping Table 126: IGMP Snooping Commands (Continued) Command Function Mode ip igmp snooping querier Allows this device to act as the querier for IGMP snooping GC ip igmp snooping router-alert-option-check Discards any IGMPv2/v3 packets that do not include the Router Alert option GC ip igmp snooping router-port-expire-time Configures the querier timeout GC ip igmp snooping tcn-flood Floods multicast traffic when a Spanning Tree topology change occu
Chapter 25 | Multicast Filtering Commands IGMP Snooping Table 126: IGMP Snooping Commands (Continued) Command Function Mode clear ip igmp snooping statistics Clears IGMP snooping statistics PE show ip igmp snooping Shows the IGMP snooping, proxy, and query configuration PE show ip igmp snooping group Shows known multicast group, source, and host port mapping PE show ip igmp snooping mrouter Shows multicast router ports PE show ip igmp snooping statistics Shows IGMP snooping protocol statisti
Chapter 25 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command configures multicast router ports to forward multicast streams only mrouter-forward- when multicast groups are joined. Use the no form to disable it. mode dynamic Syntax ip igmp snooping mrouter-forward dynamic no ip igmp snooping mrouter-forward Default Setting Disabled Command Mode Global Configuration Example The following example enables IGMP snooping globally.
Chapter 25 | Multicast Filtering Commands IGMP Snooping Related Commands show ip igmp snooping (684) ip igmp snooping This command enables IGMP Snooping with Proxy Reporting. Use the no form to proxy-reporting restore the default setting. Syntax [no] ip igmp snooping proxy-reporting ip igmp snooping vlan vlan-id proxy-reporting {enable | disable} no ip igmp snooping vlan vlan-id proxy-reporting vlan-id - VLAN ID (Range: 1-4094) enable - Enable on the specified VLAN.
Chapter 25 | Multicast Filtering Commands IGMP Snooping Command Mode Global Configuration Command Usage ◆ IGMP snooping querier is not supported for IGMPv3 snooping (see ip igmp snooping version). ◆ If enabled, the switch will serve as querier if elected. The querier is responsible for asking hosts if they want to receive multicast traffic.
Chapter 25 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command configures the querier timeout. Use the no form to restore the router-port-expire- default. time Syntax ip igmp snooping router-port-expire-time seconds no ip igmp snooping router-port-expire-time seconds - The time the switch waits after the previous querier stops before it considers it to have expired.
Chapter 25 | Multicast Filtering Commands IGMP Snooping ◆ If a topology change notification (TCN) is received, and all the uplink ports are subsequently deleted, a timeout mechanism is used to delete all of the currently learned multicast channels. ◆ When a new uplink port starts up, the switch sends unsolicited reports for all current learned channels out through the new uplink port.
Chapter 25 | Multicast Filtering Commands IGMP Snooping When an upstream multicast router receives this solicitation, it will also immediately issues an IGMP general query. ◆ The ip igmp snooping tcn query-solicit command can be used to send a query solicitation whenever it notices a topology change, even if the switch is not the root bridge in the spanning tree.
Chapter 25 | Multicast Filtering Commands IGMP Snooping ip igmp snooping This command specifies how often the upstream interface should transmit unsolicited-report- unsolicited IGMP reports when proxy reporting is enabled. Use the no form to interval restore the default value. Syntax ip igmp snooping unsolicited-report-interval seconds no ip igmp snooping unsolicited-report-interval seconds - The interval at which to issue unsolicited reports.
Chapter 25 | Multicast Filtering Commands IGMP Snooping Command Mode Global Configuration Command Usage ◆ This command configures the IGMP report/query version used by IGMP snooping. Versions 1 - 3 are all supported, and versions 2 and 3 are backward compatible, so the switch can operate with other devices, regardless of the snooping version employed. ◆ If the IGMP snooping version is configured on a VLAN, this setting takes precedence over the global configuration.
Chapter 25 | Multicast Filtering Commands IGMP Snooping ip igmp snooping vlan This command suppresses general queries except for ports attached to general-query- downstream multicast hosts. Use the no form to flood general queries to all ports suppression except for the multicast router port.
Chapter 25 | Multicast Filtering Commands IGMP Snooping Command Usage ◆ If immediate-leave is not used, a multicast router (or querier) will send a groupspecific query message when an IGMPv2/v3 group leave message is received. The router/querier stops forwarding traffic for that group only if no host replies to the query within the timeout period. (The timeout for this release is defined by Last Member Query Interval (fixed at one second) * Robustness Variable (fixed at 2) as defined in RFC 2236.
Chapter 25 | Multicast Filtering Commands IGMP Snooping Command Usage This command will take effect only if IGMP snooping proxy reporting or IGMP querier is enabled (page 669). Example Console(config)#ip igmp snooping vlan 1 last-memb-query-count 7 Console(config)# ip igmp snooping vlan This command configures the last-member-query interval. Use the no form to last-memb-query- restore the default.
Chapter 25 | Multicast Filtering Commands IGMP Snooping ip igmp snooping vlan This command enables sending of multicast router solicitation messages. Use the mrd no form to disable these messages.
Chapter 25 | Multicast Filtering Commands IGMP Snooping Syntax ip igmp snooping vlan vlan-id proxy-address source-address no ip igmp snooping vlan vlan-id proxy-address vlan-id - VLAN ID (Range: 1-4094) source-address - The source address used for proxied IGMP query and report, and leave messages. (Any valid IP unicast address) Default Setting 0.0.0.0 Command Mode Global Configuration Command Usage IGMP Snooping uses a null IP address of 0.0.0.
Chapter 25 | Multicast Filtering Commands IGMP Snooping Example The following example sets the source address for proxied IGMP query messages to 10.0.1.8. Console(config)#ip igmp snooping vlan 1 proxy-address 10.0.1.8 Console(config)# ip igmp snooping vlan This command configures the interval between sending IGMP general queries. Use query-interval the no form to restore the default.
Chapter 25 | Multicast Filtering Commands IGMP Snooping ip igmp snooping vlan This command configures the maximum time the system waits for a response to query-resp-intvl general queries. Use the no form to restore the default. Syntax ip igmp snooping vlan vlan-id query-resp-intvl interval no ip igmp snooping vlan vlan-id query-resp-intvl vlan-id - VLAN ID (Range: 1-4094) interval - The maximum time the system waits for a response to general queries.
Chapter 25 | Multicast Filtering Commands IGMP Snooping Command Mode Global Configuration Command Usage ◆ Static multicast entries are never aged out. ◆ When a multicast entry is assigned to an interface in a specific VLAN, the corresponding traffic can only be forwarded to ports within that VLAN. Example The following shows how to statically configure a multicast group on a port. Console(config)#ip igmp snooping vlan 1 static 224.128.0.
Chapter 25 | Multicast Filtering Commands IGMP Snooping port-channel channel-id (Range: 1-26) vlan vlan-id - VLAN identifier (Range: 1-4094) Command Mode Privileged Exec Example Console#clear ip igmp snooping statistics Console# show ip igmp This command shows the IGMP snooping, proxy, and query configuration settings.
Chapter 25 | Multicast Filtering Commands IGMP Snooping Query Response Interval Proxy Query Address Proxy Reporting Multicast Router Discovery : : : : 100 (unit: 1/10s) 0.0.0.0 Using global status (Disabled) Disabled VLAN Static Group Port ---- --------------- -------1 224.1.1.1 Eth 1/ 1 . . . show ip igmp This command shows known multicast group, source, and host port mappings for snooping group the specified VLAN interface, or for all interfaces if none is specified.
Chapter 25 | Multicast Filtering Commands IGMP Snooping Console#show ip igmp snooping group vlan 1 Bridge Multicast Forwarding Entry Count:1 Flag: R - Router port, M - Group member port H - Host counts (number of hosts join the group on this port). P - Port counts (number of ports join the group). Up time: Group elapsed time (d:h:m:s). Expire : Group remaining time (m:s). VLAN Group Port Up time Expire Count ---- --------------- ----------- ----------- ------ -------1 224.1.1.
Chapter 25 | Multicast Filtering Commands IGMP Snooping show ip igmp This command shows IGMP snooping protocol statistics for the specified interface. snooping statistics Syntax show ip igmp snooping statistics {input [interface interface] | output [interface interface] | query [vlan vlan-id]} input - Specifies to display statistics for messages received by the interface. output - Specifies to display statistics for messages sent by the interface. interface ethernet unit/port unit - Unit identifier.
Chapter 25 | Multicast Filtering Commands IGMP Snooping Table 127: show ip igmp snooping statistics input - display description Field Description Drop The number of times a report, leave or query was dropped. Packets may be dropped due to invalid format, rate limiting, or packet content not allowed. Join Succ The number of times a multicast group was successfully joined. Group The number of multicast groups active on this interface.
Chapter 25 | Multicast Filtering Commands IGMP Snooping The following shows IGMP query-related statistics for VLAN 1: Console#show ip igmp snooping statistics query vlan 1 Other Querier : 192.168.0.1 Other Querier Expire : 0(m):30(s) Other Querier Uptime : 0(h):55(m):0(s) Self Querier : 192.168.0.4 Self Querier Expire : 0(m):0(s) Self Querier Uptime : 0(h):0(m):0(s) General Query Received : 10 General Query Sent : 0 Specific Query Received : 2 Specific Query Sent : 1 Warn Rate Limit : 0 sec.
Chapter 25 | Multicast Filtering Commands Static Multicast Routing Static Multicast Routing This section describes commands used to configure static multicast routing on the switch. Table 130: Static Multicast Interface Commands Command Function Mode ip igmp snooping vlan mrouter Adds a multicast router port GC show ip igmp snooping mrouter Shows multicast router ports PE ip igmp snooping vlan This command statically configures a (Layer 2) multicast router port on the mrouter specified VLAN.
Chapter 25 | Multicast Filtering Commands IGMP Filtering and Throttling Example The following shows how to configure port 10 as a multicast router port within VLAN 1. Console(config)#ip igmp snooping vlan 1 mrouter ethernet 1/10 Console(config)# IGMP Filtering and Throttling In certain switch applications, the administrator may want to control the multicast services that are available to end users. For example, an IP/TV service based on a specific subscription plan.
Chapter 25 | Multicast Filtering Commands IGMP Filtering and Throttling ip igmp filter This command globally enables IGMP filtering and throttling on the switch. Use the (Global Configuration) no form to disable the feature. Syntax [no] ip igmp filter Default Setting Disabled Command Mode Global Configuration Command Usage IGMP filtering enables you to assign a profile to a switch port that specifies multicast groups that are permitted or denied on the port.
Chapter 25 | Multicast Filtering Commands IGMP Filtering and Throttling Example Console(config)#ip igmp igmp-with-pppoe Console(config)# ip igmp profile This command creates an IGMP filter profile number and enters IGMP profile configuration mode. Use the no form to delete a profile number. Syntax [no] ip igmp profile profile-number profile-number - An IGMP filter profile number.
Chapter 25 | Multicast Filtering Commands IGMP Filtering and Throttling to deny, IGMP join reports are only processed when a multicast group is not in the controlled range. Example Console(config)#ip igmp profile 19 Console(config-igmp-profile)#permit Console(config-igmp-profile)# range This command specifies multicast group addresses for a profile. Use the no form to delete addresses from a profile.
Chapter 25 | Multicast Filtering Commands IGMP Filtering and Throttling Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ If IGMP authentication is enabled on an interface, and a join report is received on the interface, the switch will send an access request to the RADIUS server to perform authentication. ◆ Only when the RADIUS server responds with an authentication success message will the switch learn the group report.
Chapter 25 | Multicast Filtering Commands IGMP Filtering and Throttling Table 132: IGMP Authentication RADIUS Attribute Value Pairs Attribute Name AVP Type Entry USER_NAME 1 User MAC address USER_PASSWORD 2 User MAC address NAS_IP_ADDRESS 4 Switch IP address NAS_PORT 5 User Port Number FRAMED_IP_ADDRESS 8 Multicast Group ID Example This example shows how to enable IGMP Authentication on all of the switch’s Ethernet interfaces.
Chapter 25 | Multicast Filtering Commands IGMP Filtering and Throttling Example Console(config)#interface ethernet 1/1 Console(config-if)#ip igmp filter 19 Console(config-if)# ip igmp max-groups This command sets the IGMP throttling number for an interface on the switch. Use the no form to restore the default setting. Syntax ip igmp max-groups number no ip igmp max-groups number - The maximum number of multicast groups an interface can join at the same time.
Chapter 25 | Multicast Filtering Commands IGMP Filtering and Throttling Syntax ip igmp max-groups action {deny | replace} no ip igmp max-groups action deny - The new multicast group join report is dropped. replace - The new multicast group replaces an existing group. Default Setting Deny Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage When the maximum number of groups is reached on a port, the switch can take one of two actions; either “deny” or “replace.
Chapter 25 | Multicast Filtering Commands IGMP Filtering and Throttling Example Console(config)#interface ethernet 1/1 Console(config-if)#ip igmp query-drop Console(config-if)# ip multicast-data-drop This command drops all multicast data packets. Use the no form to disable this feature.
Chapter 25 | Multicast Filtering Commands IGMP Filtering and Throttling Command Usage Using this command without specifying an interface displays information for all interfaces. Example Console#show ip igmp authentication Ethernet 1/1: Enabled Ethernet 1/2: Enabled Ethernet 1/3: Enabled . . . Ethernet 1/27: Enabled Ethernet 1/28: Enabled Other ports/port channels are Disable Console# show ip igmp filter This command displays the global and interface settings for IGMP filtering.
Chapter 25 | Multicast Filtering Commands IGMP Filtering and Throttling show ip igmp igmp- This command displays the IGMP PPPoE protocol configuration. with-pppoe Syntax show ip igmp igmp-with-pppoe Default Setting None Command Mode Privileged Exec Example Console#show ip igmp igmp-with-pppoe Recognize IGMP with PPPoE header : Enabled Console(config)# show ip igmp profile This command displays IGMP filtering profiles created on the switch.
Chapter 25 | Multicast Filtering Commands IGMP Filtering and Throttling show ip igmp This command shows if the specified interface is configured to drop IGMP query query-drop packets. Syntax show ip igmp query-drop [interface [interface]] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 25 | Multicast Filtering Commands MLD Snooping Example Console#show ip igmp throttle interface ethernet 1/1 Eth 1/1 Information Status : FALSE Action : Deny Max Multicast Groups : 255 Current Multicast Groups : 0 Console# show ip multicast- This command shows if the specified interface is configured to drop multicast data data-drop packets. Syntax show ip multicast-data-drop [interface [interface]] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 25 | Multicast Filtering Commands MLD Snooping There are two versions of the MLD protocol, version 1 and version 2. MLDv1 control packets include Listener Query, Listener Report, and Listener Done messages (equivalent to IGMPv2 query, report, and leave messages). MLDv2 control packets include MLDv2 query and report messages, as well as MLDv1 report and done messages. Remember that IGMP Snooping and MLD Snooping are independent functions, and can therefore both function at the same time.
Chapter 25 | Multicast Filtering Commands MLD Snooping Table 133: MLD Snooping Commands (Continued) Command Function Mode show ipv6 mld snooping mrouter Displays the information of multicast router ports PE show ipv6 mld snooping statistics Shows IGMP snooping protocol statistics for the specified interface PE ipv6 mld snooping This command enables MLD Snooping globally on the switch. Use the no form to disable MLD Snooping.
Chapter 25 | Multicast Filtering Commands MLD Snooping ◆ The querier will not start or will disable itself after having started if it detects an IPv6 multicast router on the network. Example Console(config)#ipv6 mld snooping querier Console(config)# ipv6 mld snooping This command configures the interval between sending MLD general queries. Use query-interval the no form to restore the default.
Chapter 25 | Multicast Filtering Commands MLD Snooping ipv6 mld snooping This command configures the maximum response time advertised in MLD general query-max-response- queries. Use the no form to restore the default. time Syntax ipv6 mld snooping query-max-response-time seconds no ipv6 mld snooping query-max-response-time seconds - The maximum response time allowed for MLD general queries.
Chapter 25 | Multicast Filtering Commands MLD Snooping Example Console(config)#ipv6 mld snooping proxy-reporting Console(config)# ipv6 mld snooping This command configures the MLD Snooping robustness variable. Use the no form robustness to restore the default value. Syntax ipv6 mld snooping robustness value no ipv6 mld snooping robustness value - The number of the robustness variable.
Chapter 25 | Multicast Filtering Commands MLD Snooping Command Usage The router port expire time is the time the switch waits after the previous querier stops before it considers the router port (i.e., the interface that had been receiving query packets) to have expired. Example Console(config)#ipv6 mld snooping router-port-expire-time 300 Console(config)# ipv6 mld snooping This command sets the action for dealing with unknown multicast packets. Use the unknown-multicast no form to restore the default.
Chapter 25 | Multicast Filtering Commands MLD Snooping ipv6 mld snooping This command specifies how often the upstream interface should transmit unsolicited-report- unsolicited IGMP reports when proxy reporting is enabled. Use the no form to interval restore the default value. Syntax ipv6 mld snooping unsolicited-report-interval seconds no ipv6 mld snooping unsolicited-report-interval seconds - The interval at which to issue unsolicited reports.
Chapter 25 | Multicast Filtering Commands MLD Snooping Example Console(config)#ipv6 mld snooping version 1 Console(config)# ipv6 mld snooping This command immediately deletes a member port of an IPv6 multicast service vlan immediate-leave when a leave packet is received at that port and immediate-leave is enabled for the parent VLAN. Use the no form to restore the default.
Chapter 25 | Multicast Filtering Commands MLD Snooping Syntax [no] ipv6 mld snooping vlan vlan-id mrouter interface vlan-id - VLAN ID (Range: 1-4094) interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28) port-channel channel-id (Range: 1-26) Default Setting No static multicast router ports are configured. Command Mode Global Configuration Command Usage Depending on your network connections, MLD snooping may not always be able to locate the MLD querier.
Chapter 25 | Multicast Filtering Commands MLD Snooping Default Setting None Command Mode Global Configuration Example Console(config)#ipv6 mld snooping vlan 1 static ff05:0:1:2:3:4:5:6 ethernet 1/6 Console(config)# clear ipv6 mld This command clears multicast group information dynamically learned through snooping groups MLD snooping. dynamic Syntax clear ipv6 mld snooping groups dynamic Command Mode Privileged Exec Command Usage This command only clears entries learned though MLD snooping.
Chapter 25 | Multicast Filtering Commands MLD Snooping Example Console#clear ipv6 mld snooping statistics Console# show ipv6 mld This command shows the current MLD Snooping configuration. snooping Syntax show ipv6 mld snooping [vlan vlan-id] vlan-id - VLAN ID (1-4094) Command Mode Privileged Exec Command Usage This command displays global and VLAN-specific MLD snooping configuration settings.
Chapter 25 | Multicast Filtering Commands MLD Snooping show ipv6 mld This command shows known multicast groups, member ports, and the means by snooping group which each group was learned. Syntax show ipv6 mld snooping group [mld-group | host-ip-addr | sort-by-port | vlan vlan-id] mld-group - X:X:X:X::X show only the groups by the specified IPv6 address host-ip-addr - Displays the ip address of the subscribers of each group. sort-by-port - Displays groups sorted by port number.
Chapter 25 | Multicast Filtering Commands MLD Snooping Mutlicast IPv6 Address Member Port Type Filter Mode (if exclude filter mode) Filter Timer elapse Request List Exclude List (if include filter mode) Include List : : : : FF02::01:01:01:01 Eth 1/1 MLD Snooping Include : 10 sec.
Chapter 25 | Multicast Filtering Commands MLD Snooping show ipv6 mld This command shows MLD snooping protocol statistics for the specified interface. snooping statistics Syntax show ipv6 mld snooping statistics {input [interface interface] | output [interface interface] | query [vlan vlan-id] | summary interface interface} input - Specifies to display statistics for messages received by the interface. output - Specifies to display statistics for messages sent by the interface.
Chapter 25 | Multicast Filtering Commands MLD Filtering and Throttling MLD Filtering and Throttling In certain switch applications, the administrator may want to control the multicast services that are available to end users. For example, an IP/TV service based on a specific subscription plan. The MLD filtering feature fulfills this requirement by restricting access to specified multicast services on a switch port, and MLD throttling limits the number of simultaneous multicast groups a port can join.
Chapter 25 | Multicast Filtering Commands MLD Filtering and Throttling can contain one or more, or a range of multicast addresses; but only one profile can be assigned to a port. When enabled, MLD join reports received on the port are checked against the filter profile. If a requested multicast group is permitted, the MLD join report is forwarded as normal. If a requested multicast group is denied, the MLD join report is dropped.
Chapter 25 | Multicast Filtering Commands MLD Filtering and Throttling permit, deny This command sets the access mode for an MLD filter profile. Syntax {permit | deny} Default Setting deny Command Mode MLD Profile Configuration Command Usage Each profile has only one access mode; either permit or deny. ◆ ◆ When the access mode is set to permit, MLD join reports are processed when a multicast group falls within the controlled range.
Chapter 25 | Multicast Filtering Commands MLD Filtering and Throttling Example Console(config-mld-profile)#range ff01::0101 ff01::0202 Console(config-mld-profile)# ipv6 mld filter This command assigns an MLD filtering profile to an interface on the switch. Use (Interface Configuration) the no form to remove a profile from an interface. Syntax ipv6 mld filter profile-number no ipv6 mld filter profile-number - An MLD filter profile number.
Chapter 25 | Multicast Filtering Commands MLD Filtering and Throttling number - The maximum number of multicast groups an interface can join at the same time. (Range: 1-1023) Default Setting 255 Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ MLD throttling sets a maximum number of multicast groups that a port can join at the same time. When the maximum number of groups is reached on a port, the switch can take one of two actions; either “deny” or “replace.
Chapter 25 | Multicast Filtering Commands MLD Filtering and Throttling Command Usage When the maximum number of groups is reached on a port, the switch can take one of two actions; either “deny” or “replace.” If the action is set to deny, any new MLD join reports will be dropped. If the action is set to replace, the switch randomly removes an existing group and replaces it with the new multicast group.
Chapter 25 | Multicast Filtering Commands MLD Filtering and Throttling Example Console(config)#interface ethernet 1/3 Console(config-if)#ipv6 multicast-data-drop Console(config-if)# show ipv6 mld filter This command displays the global and interface settings for MLD filtering. Syntax show ipv6 mld filter [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 25 | Multicast Filtering Commands MLD Filtering and Throttling Command Mode Privileged Exec Example Console#show ipv6 mld profile MLD Profile 19 MLD Profile 50 Console#show ipv6 mld profile 19 MLD Profile 19 Deny Console#show ipv6 mld profile 5 MLD Profile 19 Deny Range ff01::101 ff01::faa Console# show ipv6 mld This command shows if the specified interface is configured to drop MLD query query-drop packets.
Chapter 25 | Multicast Filtering Commands MVR for IPv4 Syntax show ipv6 mld throttle interface [interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28) port-channel channel-id (Range: 1-26) Default Setting None Command Mode Privileged Exec Command Usage Using this command without specifying an interface displays information for all interfaces.
Chapter 25 | Multicast Filtering Commands MVR for IPv4 Table 135: Multicast VLAN Registration for IPv4 Commands (Continued) Command Function Mode mvr domain Enables MVR for a specific domain GC mvr priority Assigns a priority to all multicast traffic in the MVR VLAN GC mvr profile Maps a range of MVR group addresses to a profile GC mvr proxy-query-interval Configures the interval at which the receiver port sends out GC general queries.
Chapter 25 | Multicast Filtering Commands MVR for IPv4 mvr This command enables Multicast VLAN Registration (MVR) globally on the switch. Use the no form of this command to globally disable MVR. Syntax [no] mvr Default Setting Disabled Command Mode Global Configuration Command Usage Only IGMP version 2 or 3 hosts can issue multicast join or leave messages. If MVR must be configured for an IGMP version 1 host, the multicast groups must be statically assigned using the mvr vlan group command.
Chapter 25 | Multicast Filtering Commands MVR for IPv4 Related Commands mvr profile (730) mvr domain This command enables Multicast VLAN Registration (MVR) for a specific domain. Use the no form of this command to disable MVR for a domain. Syntax [no] mvr domain domain-id domain-id - An independent multicast domain. (Range: 1-5) Default Setting Disabled Command Mode Global Configuration Command Usage Only IGMP version 2 or 3 hosts can issue multicast join or leave messages.
Chapter 25 | Multicast Filtering Commands MVR for IPv4 Command Usage This command can be used to set a high priority for low-latency multicast traffic such as a video-conference, or to set a low priority for normal multicast traffic not sensitive to latency. Example Console(config)#mvr priority 6 Console(config)# Related Commands show mvr mvr profile This command maps a range of MVR group addresses to a profile. Use the no form of this command to remove the profile.
Chapter 25 | Multicast Filtering Commands MVR for IPv4 Example The following example maps a range of MVR group addresses to a profile: Console(config)#mvr profile rd 228.1.23.1 228.1.23.10 Console(config)# mvr proxy-query- This command configures the interval at which the receiver port sends out general interval queries. Use the no form to restore the default setting.
Chapter 25 | Multicast Filtering Commands MVR for IPv4 Command Mode Global Configuration Command Usage ◆ When MVR proxy-switching is enabled, an MVR source port serves as the upstream or host interface. The source port performs only the host portion of MVR by sending summarized membership reports, and automatically disables MVR router functions. ◆ Receiver ports are known as downstream or router interfaces.
Chapter 25 | Multicast Filtering Commands MVR for IPv4 mvr robustness-value This command configures the expected packet loss, and thereby the number of times to generate report and group-specific queries. Use the no form to restore the default setting. Syntax mvr robustness-value value no mvr robustness-value value - The robustness used for all interfaces.
Chapter 25 | Multicast Filtering Commands MVR for IPv4 Command Usage ◆ By default, the switch forwards any multicast streams within the address range set by a profile, and bound to a domain. The multicast streams are sent to all source ports on the switch and to all receiver ports that have elected to receive data on that multicast address. ◆ When the mvr source-port-mode dynamic command is used, the switch only forwards multicast streams which the source port has dynamically joined.
Chapter 25 | Multicast Filtering Commands MVR for IPv4 mvr vlan This command specifies the VLAN through which MVR multicast data is received. Use the no form of this command to restore the default MVR VLAN. Syntax mvr [domain domain-id] vlan vlan-id no mvr [domain domain-id] vlan domain-id - An independent multicast domain. (Range: 1-5) vlan-id - Specifies the VLAN through which MVR multicast data is received. This is also the VLAN to which all source ports must be assigned.
Chapter 25 | Multicast Filtering Commands MVR for IPv4 mvr immediate-leave This command causes the switch to immediately remove an interface from a multicast stream as soon as it receives a leave message for that group. Use the no form to restore the default settings. Syntax mvr [domain domain-id] immediate-leave [by-host-ip] no mvr [domain domain-id] immediate-leave domain-id - An independent multicast domain.
Chapter 25 | Multicast Filtering Commands MVR for IPv4 mvr type This command configures an interface as an MVR receiver or source port. Use the no form to restore the default settings. Syntax [no] mvr [domain domain-id] type {receiver | source} domain-id - An independent multicast domain. (Range: 1-5) receiver - Configures the interface as a subscriber port that can receive multicast data.
Chapter 25 | Multicast Filtering Commands MVR for IPv4 Console(config-if)#mvr domain 1 type receiver Console(config-if)# mvr vlan group This command statically binds a multicast group to a port which will receive longterm multicast streams associated with a stable set of hosts. Use the no form to restore the default settings. Syntax [no] mvr [domain domain-id] vlan vlan-id group ip-address domain-id - An independent multicast domain.
Chapter 25 | Multicast Filtering Commands MVR for IPv4 clear mvr groups This command clears multicast group information dynamically learned through dynamic MVR. Syntax clear mvr groups dynamic [domain-id] domain-id - The MVR domain ID - Range: 1-5 Command Mode Privileged Exec Command Usage This command only clears entries learned though MVR. Statically configured multicast address are not cleared. Example Console#clear mvr groups dynamic Console# clear mvr statistics This command clears MVR statistics.
Chapter 25 | Multicast Filtering Commands MVR for IPv4 show mvr This command shows information about MVR domain settings, including MVR operational status, the multicast VLAN, the current number of group addresses, and the upstream source IP address. Syntax show mvr [domain domain-id] domain-id - An independent multicast domain. (Range: 1-5) Default Setting Displays configuration settings for all MVR domains.
Chapter 25 | Multicast Filtering Commands MVR for IPv4 Table 136: show mvr - display description (Continued) Field Description MVR Multicast VLAN Shows the VLAN used to transport all MVR multicast traffic. MVR Current Learned Groups The current number of MVR group addresses MVR Upstream Source IP The source IP address assigned to all upstream control packets. show mvr This command shows the profiles bound the specified domain.
Chapter 25 | Multicast Filtering Commands MVR for IPv4 Example The following displays information about the interfaces attached to the MVR VLAN in domain 1: Console#show mvr domain 1 interface MVR Domain : 1 Flag: H - immediate leave by host ip Port Type Status -------- -------- ------------------Eth 1/ 1 Source Active/Forwarding Eth 1/ 2 Receiver Inactive/Discarding Eth 1/ 3 Source Inactive/Discarding Eth 1/ 1 Receiver Active/Forwarding Eth 1/ 4 Receiver Active/Discarding Immediate Static Group Address -
Chapter 25 | Multicast Filtering Commands MVR for IPv4 host-ip-address - The subscriber IP addresses. ds-vlan - Downstream VLAN ID (Range: 1-4094) igmp - Entry created by IGMP protocol. sort-by-port - The multicast groups associated with an interface. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28) port-channel channel-id (Range: 1-26) unknown - Entry created by receiving a multicast stream. user - Snooping entry learned from user’s configuration settings.
Chapter 25 | Multicast Filtering Commands MVR for IPv4 Up time: Group elapsed time (d:h:m:s). Expire : Group remaining time (m:s). Group Address VLAN Port Up time Expire Count --------------- ---- ----------- ----------- ------ -------234.5.6.7 1 2(P) 1 Eth 1/ 1(S) 2 Eth 1/ 2(R) Console# Table 138: show mvr members - display description Field Description Group Address Multicast group address. VLAN VLAN to which this address is forwarded. Port Port to which this address is forwarded.
Chapter 25 | Multicast Filtering Commands MVR for IPv4 domain-id - An independent multicast domain. (Range: 1-5) interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28) port-channel channel-id (Range: 1-16) vlan vlan-id - VLAN ID (Range: 1-4094) query - Displays MVR query-related statistics. summary - Displays summary of MVR statistics. mvr vlan - Displays summary statistics for the MVR VLAN. Default Setting Displays statistics for all domains.
Chapter 25 | Multicast Filtering Commands MVR for IPv4 The following shows MVR protocol-related statistics sent: Console#show mvr domain 1 statistics output MVR Domain : 1 , MVR VLAN: 2 Output Statistics: Interface Report Leave G Query G(-S)-S Query Drop Group ---------- -------- -------- -------- ------------- -------- -----Eth 1/ 1 12 0 1 0 0 0 Eth 1/ 1 12 0 1 0 0 0 Eth 1/ 2 5 1 4 1 0 0 DVLAN 1 7 2 3 0 0 0 MVLAN 1 7 2 3 0 0 0 Console# Table 140: show mvr statistics output - display description Field De
Chapter 25 | Multicast Filtering Commands MVR for IPv4 Table 141: show mvr statistics query - display description Field Description Other Querier The IP address of the querier on this interface. Other Querier Expire The time after which this querier is assumed to have expired. Other Querier Uptime Other querier’s time up. Self Querier This querier’s IP address. Self Querier Expire This querier’s expire time. Self Querier Uptime This querier’s time up.
Chapter 25 | Multicast Filtering Commands MVR for IPv4 Table 142: show mvr statistics summary interface - display description Field Description Received General Number of general queries received. Group Specific Number of group specific queries received. V# Warning Count Number of queries received on MVR that were configured for IGMP version 1, 2 or 3. Report & Leave Transmit Report Number of transmitted reports. Leave Number of transmitted leaves. Received Report Number of reports received.
Chapter 25 | Multicast Filtering Commands MVR for IPv4 Table 143: show mvr statistics summary interface mvr vlan - description Field Description Domain An independent multicast domain. Number of Groups Number of groups learned on this port. Querier Other Querier Other IGMP querier’s IP address. Other Expire Other querier’s expire time. Other Uptime Other querier’s time up. Self Querier This querier’s IP address. Self Expire This querier’s expire time. Self Uptime This querier’s time up.
Chapter 25 | Multicast Filtering Commands MVR for IPv6 MVR for IPv6 This section describes commands used to configure Multicast VLAN Registration for IPv6 (MVR6). A single network-wide VLAN can be used to transmit multicast traffic (such as television channels) across a service provider’s network. Any multicast traffic entering an MVR6 VLAN is sent to all subscribers.
Chapter 25 | Multicast Filtering Commands MVR for IPv6 Table 144: Multicast VLAN Registration for IPv6 Commands (Continued) Command Function Mode show mvr6 members Shows information about the current number of entries in the PE forwarding database, or detailed information about a specific multicast address show mvr6 profile Shows all configured MVR profiles PE show mvr6 statistics Shows MVR protocol statistics for the specified interface PE mvr6 associated- This command binds the MVR6 group addr
Chapter 25 | Multicast Filtering Commands MVR for IPv6 Default Setting Disabled Command Mode Global Configuration Command Usage When MVR6 is enabled on a domain, any multicast data associated with an MVR6 group is sent from all designated source ports, to all receiver ports that have registered to receive data from that multicast group.
Chapter 25 | Multicast Filtering Commands MVR for IPv6 mvr6 profile This command maps a range of MVR6 group addresses to a profile. Use the no form of this command to remove the profile. Syntax mvr6 profile profile-name start-ip-address end-ip-address no mvr6 profile profile-name profile-name - The name of a profile containing one or more MVR6 group addresses. (Range: 1-21 characters) start-ip-address - Starting IPv6 address for an MVR6 multicast group.
Chapter 25 | Multicast Filtering Commands MVR for IPv6 mvr6 proxy-query- This command configures the interval at which the receiver port sends out general interval queries. Use the no form to restore the default setting. Syntax mvr6 proxy-query-interval interval no mv6r proxy-query-interval interval - The interval at which the receiver port sends out general queries.
Chapter 25 | Multicast Filtering Commands MVR for IPv6 ◆ Receiver ports are known as downstream or router interfaces. These interfaces perform the standard MVR router functions by maintaining a database of all MVR6 subscriptions on the downstream interface. Receiver ports must therefore be configured on all downstream interfaces which require MVR6 proxy service. ◆ When the source port receives report and leave messages, it only forwards them to other source ports.
Chapter 25 | Multicast Filtering Commands MVR for IPv6 Command Mode Global Configuration Command Usage ◆ This command sets the number of times report messages are sent upstream when changes are learned about downstream groups, and the number of times group-specific queries are sent to downstream receiver ports. ◆ This command only takes effect when MVR6 proxy switching is enabled.
Chapter 25 | Multicast Filtering Commands MVR for IPv6 Example Console(config)#mvr6 source-port-mode dynamic Console(config)# mvr6 upstream- This command configures the source IPv6 address assigned to all MVR control source-ip packets sent upstream on the specified domain. Use the no form to restore the default setting. Syntax mvr6 domain domain-id upstream-source-ip source-ip-address no mvr6 domain domain-id upstream-source-ip domain-id - An independent multicast domain.
Chapter 25 | Multicast Filtering Commands MVR for IPv6 mvr6 vlan This command specifies the VLAN through which MVR6 multicast data is received. Use the no form of this command to restore the default MVR6 VLAN. Syntax mvr6 domain domain-id vlan vlan-id no mvr6 domain domain-id vlan domain-id - An independent multicast domain. (Range: 1-5) vlan-id - Specifies the VLAN through which MVR6 multicast data is received. This is also the VLAN to which all source ports must be assigned.
Chapter 25 | Multicast Filtering Commands MVR for IPv6 Command Usage ◆ Immediate leave applies only to receiver ports. When enabled, the receiver port is immediately removed from the multicast group identified in the leave message. When immediate leave is disabled, the switch follows the standard rules by sending a group-specific query to the receiver port and waiting for a response to determine if there are any remaining subscribers for that multicast group before removing the port from the group list.
Chapter 25 | Multicast Filtering Commands MVR for IPv6 page 703). ◆ Receiver ports can belong to different VLANs, but should not be configured as a member of the MVR6 VLAN. MLD snooping can be used to allow a receiver port to dynamically join or leave multicast groups not sourced through the MVR6 VLAN. Also, note that VLAN membership for MVR6 receiver ports cannot be set to access mode (see the switchport mode command). ◆ One or more interfaces may be configured as MVR6 source ports.
Chapter 25 | Multicast Filtering Commands MVR for IPv6 Default Setting No receiver port is a member of any configured multicast group. Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ Multicast groups can be statically assigned to a receiver port using this command. The assigned address must fall within the range set by the mvr6 associated-profile command.
Chapter 25 | Multicast Filtering Commands MVR for IPv6 Flag: S - Source port, R - Receiver port. H - Host counts (number of hosts join the group on this port). P - Port counts (number of forwarding ports). Up time: Group elapsed time (d:h:m:s). Expire : Group remaining time (m:s).
Chapter 25 | Multicast Filtering Commands MVR for IPv6 clear mvr6 statistics This command clears MVR statistics. Syntax clear mvr6 statistics [interface interface] interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number. (Range: 1-28) port-channel channel-id (Range: 1-26) vlan vlan-id - VLAN identifier (Range: 1-4094) Command Mode Privileged Exec Command Usage If the interface option is not used then all MVR6 statistics are cleared.
Chapter 25 | Multicast Filtering Commands MVR for IPv6 MVR6 Proxy Query Interval MVR6 Source Port Mode MVR6 Domain : MVR6 Config Status : MVR6 Running Status : MVR6 Multicast VLAN : MVR6 Current Learned Groups : MVR6 Upstream Source IP : Console# : 125(sec.
Chapter 25 | Multicast Filtering Commands MVR for IPv6 Example The following displays the profiles bound to domain 1: Console#show mvr6 domain 1 associated-profile Domain ID : 1 MVR6 Profile Name Start IPv6 Addr. End IPv6 Addr. --------------------- ------------------------- ------------------------rd ff01::fe ff01::ff Console# show mvr6 interface This command shows MVR6 configuration settings for interfaces attached to the MVR6 VLAN.
Chapter 25 | Multicast Filtering Commands MVR for IPv6 Table 146: show mvr6 interface - display description (Continued) Field Description Immediate Leave Shows if immediate leave is enabled or disabled. Static Group Address Shows any static MVR6 group assigned to an interface, and the receiver VLAN. show mvr6 members This command shows information about the current number of entries in the forwarding database, or detailed information about a specific multicast address.
Chapter 25 | Multicast Filtering Commands MVR for IPv6 Flag: S - Source port, R - Receiver port. H - Host counts (number of hosts join the group on this port). P - Port counts (number of forwarding ports). Up time: Group elapsed time (d:h:m:s). Expire : Group remaining time (m:s).
Chapter 25 | Multicast Filtering Commands MVR for IPv6 show mvr6 profile This command shows all configured MVR6 profiles. Command Mode Privileged Exec Example The following shows all configured MVR profiles: Console#show mvr6 profile MVR Profile Name Start IPv6 Addr. End IPv6 Addr. -------------------- ------------------------- ------------------------rd ff01::fe ff01::ff Console# show mvr6 statistics This command shows MVR protocol-related statistics for the specified interface.
Chapter 25 | Multicast Filtering Commands MVR for IPv6 Example The following shows MVR protocol-related statistics received: Console#show mvr6 domain 1 statistics input MVR6 Domain 1, MVR6 VLAN 2: Input Statistics: Interface Report Done G Query G(-S)-S Query Drop Join Succ Group --------- -------- -------- -------- ------------- -------- --------- -----Eth 1/ 1 23 11 4 10 5 20 9 Eth 1/ 2 12 15 8 3 5 19 4 DVLAN 1 2 0 0 2 2 20 9 MVLAN 2 2 0 0 2 2 20 9 Console# Table 148: show mvr6 statistics input - display
Chapter 25 | Multicast Filtering Commands MVR for IPv6 Table 149: show mvr6 statistics output - display description (Continued) Field Description G Query The number of general query messages sent from this interface. G(-S)-S Query The number of group specific or group-and-source specific query messages sent from this interface.
Chapter 25 | Multicast Filtering Commands MVR for IPv6 Table 150: show mvr6 statistics summary interface - display description Field Description General Number of general queries received. Group Specific Number of group specific queries received. Report & Leave Transmit Report Number of transmitted reports. Leave Number of transmitted leaves. Received Report Number of reports received. Leave Number of leaves received. Join Success Number of join reports processed successfully.
Chapter 25 | Multicast Filtering Commands MVR for IPv6 Table 151: show mvr6 statistics summary interface mvr vlan - description Field Description Querier Other Addr Other IGMP querier’s IP address. Other Expire Other querier’s expire time. Other Uptime Other querier’s time up. Self Addr This querier’s IP address. Self Expire This querier’s expire time. Self Uptime This querier’s time up. Transmit General Number of general queries sent from receiver port.
26 LLDP Commands Link Layer Discovery Protocol (LLDP) is used to discover basic information about neighboring devices on the local broadcast domain. LLDP is a Layer 2 protocol that uses periodic broadcasts to advertise information about the sending device. Advertised information is represented in Type Length Value (TLV) format according to the IEEE 802.1AB standard, and can include details such as device identification, capabilities and configuration settings.
Chapter 26 | LLDP Commands Table 152: LLDP Commands (Continued) Command Function Mode lldp basic-tlv system-capabilities Configures an LLDP-enabled port to advertise its system capabilities IC lldp basic-tlv system-description Configures an LLDP-enabled port to advertise the system description IC lldp basic-tlv system-name Configures an LLDP-enabled port to advertise its system name IC lldp dot1-tlv proto-ident* Configures an LLDP-enabled port to advertise the supported protocols IC lldp dot1
Chapter 26 | LLDP Commands * Vendor-specific options may or may not be advertised by neighboring devices. lldp This command enables LLDP globally on the switch. Use the no form to disable LLDP. Syntax [no] lldp Default Setting Enabled Command Mode Global Configuration Example Console(config)#lldp Console(config)# lldp holdtime- This command configures the time-to-live (TTL) value sent in LLDP advertisements. multiplier Use the no form to restore the default setting.
Chapter 26 | LLDP Commands Example Console(config)#lldp holdtime-multiplier 10 Console(config)# lldp med-fast-start- This command specifies the amount of MED Fast Start LLDPDUs to transmit during count the activation process of the LLDP-MED Fast Start mechanism. Use the no form to restore the default setting. Syntax lldp med-fast-start-count packet-number no lldp med-fast-start-count packet-number - Amount of packets.
Chapter 26 | LLDP Commands Command Mode Global Configuration Command Usage ◆ This parameter only applies to SNMP applications which use data stored in the LLDP MIB for network monitoring or management. ◆ Information about changes in LLDP neighbors that occur between SNMP notifications is not transmitted. Only state changes that exist at the time of a notification are included in the transmission.
Chapter 26 | LLDP Commands lldp reinit-delay This command configures the delay before attempting to re-initialize after LLDP ports are disabled or the link goes down. Use the no form to restore the default setting. Syntax lldp reinit-delay seconds no lldp reinit-delay seconds - Specifies the delay before attempting to re-initialize LLDP.
Chapter 26 | LLDP Commands ◆ This attribute must comply with the following rule: (4 * tx-delay) refresh-interval Example Console(config)#lldp tx-delay 10 Console(config)# lldp admin-status This command enables LLDP transmit, receive, or transmit and receive mode on the specified port. Use the no form to disable this feature. Syntax lldp admin-status {rx-only | tx-only | tx-rx} no lldp admin-status rx-only - Only receive LLDP PDUs. tx-only - Only transmit LLDP PDUs.
Chapter 26 | LLDP Commands Command Usage ◆ The management address protocol packet includes the IPv4 address of the switch. If no management address is available, the address should be the MAC address for the CPU or for the port sending this advertisement. ◆ The management address TLV may also include information about the specific interface associated with this address, and an object identifier indicating the type of hardware component or protocol entity associated with this address.
Chapter 26 | LLDP Commands ◆ If both the management-ipv6-address and the IPv6 address of a VLAN interface is configured, the IPv6 address of the VLAN ID will be sent in the Management Address TLV of the LLDP PDU transmitted. ◆ Two Management Address TLVs in the LLDP PDU will be sent if both of the two conditions below are true: ■ The interface has both commands configured i.e. management-ip-address and management-ipv6-address. ■ The VLAN interface has both IPv4 and IPv6 addresses set.
Chapter 26 | LLDP Commands lldp basic-tlv This command configures an LLDP-enabled port to advertise its system system-capabilities capabilities. Use the no form to disable this feature. Syntax [no] lldp basic-tlv system-capabilities Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage The system capabilities identifies the primary function(s) of the system and whether or not these primary functions are enabled.
Chapter 26 | LLDP Commands lldp basic-tlv This command configures an LLDP-enabled port to advertise the system name. Use system-name the no form to disable this feature. Syntax [no] lldp basic-tlv system-name Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage The system name is taken from the sysName object in RFC 3418, which contains the system’s administratively assigned name, and is in turn based on the hostname command.
Chapter 26 | LLDP Commands lldp dot1-tlv proto-vid This command configures an LLDP-enabled port to advertise port-based protocol VLAN information. Use the no form to disable this feature. Syntax [no] lldp dot1-tlv proto-vid Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises the port-based protocol VLANs configured on this interface (see “Configuring Protocol-based VLANs” on page 611).
Chapter 26 | LLDP Commands lldp dot1-tlv This command configures an LLDP-enabled port to advertise its VLAN name. Use vlan-name the no form to disable this feature. Syntax [no] lldp dot1-tlv vlan-name Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises the name of all VLANs to which this interface has been assigned. See switchport allowed vlan and protocol-vlan protocol-group (Configuring Interfaces).
Chapter 26 | LLDP Commands lldp dot3-tlv mac-phy This command configures an LLDP-enabled port to advertise its MAC and physical layer capabilities. Use the no form to disable this feature. Syntax [no] lldp dot3-tlv mac-phy Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises MAC/PHY configuration/status which includes information about auto-negotiation support/capabilities, and operational Multistation Access Unit (MAU) type.
Chapter 26 | LLDP Commands lldp dot3-tlv poe This command configures an LLDP-enabled port to advertise its Power-overEthernet (PoE) capabilities. Use the no form to disable this feature.
Chapter 26 | LLDP Commands ca-type – A one-octet descriptor of the data civic address value. (Range: 0-255) ca-value – Description of a location. (Range: 1-32 characters) Default Setting Not advertised No description Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ Use this command without any keywords to advertise location identification details. ◆ Use the ca-type to advertise the physical location of the device, that is the city, street number, building and room information.
Chapter 26 | LLDP Commands location is not known, 0 and 1 can be used, providing the client device is physically close to the DHCP server or network element. Example The following example enables advertising location identification details.
Chapter 26 | LLDP Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp med-notification Console(config-if)# lldp med-tlv ext-poe This command configures an LLDP-MED-enabled port to advertise and accept Extended Power-over-Ethernet configuration and usage information. Use the no form to disable this feature.
Chapter 26 | LLDP Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp med-tlv inventory Console(config-if)# lldp med-tlv location This command configures an LLDP-MED-enabled port to advertise its location identification details. Use the no form to disable this feature. Syntax [no] lldp med-tlv location Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage This option advertises location identification details.
Chapter 26 | LLDP Commands Example Console(config)#interface ethernet 1/1 Console(config-if)#lldp med-tlv med-cap Console(config-if)# lldp med-tlv This command configures an LLDP-MED-enabled port to advertise its network network-policy policy configuration. Use the no form to disable this feature.
Chapter 26 | LLDP Commands notifications include information about state changes in the LLDP MIB (IEEE 802.1AB), or organization-specific LLDP-EXT-DOT1 and LLDP-EXT-DOT3 MIBs. ◆ SNMP trap destinations are defined using the snmp-server host command. ◆ Information about additional changes in LLDP neighbors that occur between SNMP notifications is not transmitted. Only state changes that exist at the time of a trap notification are included in the transmission.
Chapter 26 | LLDP Commands LLDP Port Configuration Port Admin Status Notification Enabled -------- ------------ -------------------Eth 1/1 Tx-Rx True Eth 1/2 Tx-Rx True Eth 1/3 Tx-Rx True Eth 1/4 Tx-Rx True Eth 1/5 Tx-Rx True . . . Console#show lldp config detail ethernet 1/1 LLDP Port Configuration Detail Port : Eth 1/1 Admin Status : Tx-Rx Notification Enabled : True Basic TLVs Advertised : port-description system-name system-description system-capabilities management-ip-address 802.
Chapter 26 | LLDP Commands show lldp info This command shows LLDP global and interface-specific configuration settings for local-device this device. Syntax show lldp info local-device [detail interface] detail - Shows configuration summary. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 26 | LLDP Commands show lldp info This command shows LLDP global and interface-specific configuration settings for remote-device remote devices attached to an LLDP-enabled port. Syntax show lldp info remote-device [detail interface] detail - Shows detailed information. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 26 | LLDP Commands Port MAU Type : 16 Power via MDI Power Class Power MDI Supported Power MDI Enabled Power Pair Controllable Power Pairs Power Classification : : : : : : PSE Yes Yes No Spare Class 1 Link Aggregation Link Aggregation Capable : Yes Link Aggregation Enable : No Link Aggregation Port ID : 0 Max Frame Size : 1522 Remote Power via MDI : Remote power class : PSE Remote power MDI supported : Yes Remote power MDI enabled : Yes Remote power pair controllable : No Remote power pairs : S
Chapter 26 | LLDP Commands show lldp info This command shows statistics based on traffic received through all attached LLDPstatistics enabled interfaces. Syntax show lldp info statistics [detail interface] detail - Shows configuration summary. interface ethernet unit/port unit - Unit identifier. (Range: 1) port - Port number.
Chapter 26 | LLDP Commands The following example shows information which is displayed for end-node device which advertises LLDP-MED TLVs. ...
Chapter 26 | LLDP Commands Example Console#show lldp info statistics LLDP Global Statistics Neighbor Entries List Last Updated New Neighbor Entries Count Neighbor Entries Deleted Count Neighbor Entries Dropped Count Neighbor Entries Ageout Count : : : : : 96 seconds 3 1 0 0 LLDP Port Statistics Port NumFramesRecvd NumFramesSent NumFramesDiscarded -------- -------------- ------------- -----------------Eth 1/1 822 821 0 Eth 1/2 0 0 0 Eth 1/3 0 0 0 Eth 1/4 0 0 0 Eth 1/5 849 862 0 . . .
27 CFM Commands Connectivity Fault Management (CFM) is an OAM protocol that includes proactive connectivity monitoring using continuity check messages, fault verification through loop back messages, and fault isolation by examining end-to-end connections between provider edge devices or between customer edge devices. CFM is implemented as a service level protocol based on service instances which encompass only that portion of the metropolitan area network supporting a specific customer.
Chapter 27 | CFM Commands Table 154: CFM Commands (Continued) Command Function Mode ma index name-format Specifies the name format for the maintenance association CFM as IEEE 802.1ag character based, or ITU-T SG13/SG15 Y.
Chapter 27 | CFM Commands Table 154: CFM Commands (Continued) Command Function Mode ethernet cfm mep crosscheck Enables cross-checking between the list of configured remote MEPs within a maintenance association and MEPs learned through continuity check messages PE show ethernet cfm maintenance-points remote crosscheck Displays information about remote maintenance points configured statically in a cross-check list PE ethernet cfm linktrace cache Enables caching of CFM data learned through link tra
Chapter 27 | CFM Commands Defining CFM Structures 4. Enter a static list of MEPs assigned to other devices within the same maintenance association using the mep crosscheck mpid command. This allows CFM to automatically verify the functionality of these remote end points by cross-checking the static list configured on this device against information learned through continuity check messages. 5. Enable CFM globally on the switch with the ethernet cfm enable command. 6.
Chapter 27 | CFM Commands Defining CFM Structures Example This example sets the maintenance level for sending AIS messages within the specified MA. Console(config)#ethernet cfm ais level 4 md voip ma rd Console(config)# ethernet cfm ais ma This command enables the MEPs within the specified MA to send frames with AIS information following detection of defect conditions. Use the no form to disable this feature. Syntax [no] ethernet cfm ais md domain-name ma ma-name domain-name – Domain name.
Chapter 27 | CFM Commands Defining CFM Structures ethernet cfm ais This command configures the interval at which AIS information is sent. Use the no period form to restore the default setting. Syntax ethernet cfm ais period period md domain-name ma ma-name no ethernet cfm ais period md domain-name ma ma-name period – The interval at which AIS information is sent. (Options: 1 second, 60 seconds) domain-name – Domain name. (Range: 1-43 alphanumeric characters) ma-name – Maintenance association name.
Chapter 27 | CFM Commands Defining CFM Structures with AIS information. More importantly, it cannot determine the associated subset of its peer MEPs for which it should suppress alarms since the received AIS information does not contain that information. Therefore, upon reception of a frame with AIS information, the MEP will suppress alarms for all peer MEPs whether there is still connectivity or not.
Chapter 27 | CFM Commands Defining CFM Structures Default Setting No maintenance domains are configured. No MIPs are created for any MA in the specified domain. Command Mode Global Configuration Command Usage ◆ A domain can only be configured with one name. ◆ Where domains are nested, an upper-level hierarchical domain must have a higher maintenance level than the ones it encompasses. The higher to lower level domain types commonly include entities such as customer, service provider, and operator.
Chapter 27 | CFM Commands Defining CFM Structures which can only validate received CFM messages, and respond to loop back and link trace messages. The MIP creation method defined by the ma index name command takes precedence over the method defined by this command. Example This example creates a maintenance domain set to maintenance level 3, and enters CFM configuration mode for this domain.
Chapter 27 | CFM Commands Defining CFM Structures ma index name This command creates a maintenance association (MA) within the current maintenance domain, maps it to a customer service instance (S-VLAN), and sets the manner in which MIPs are created for this service instance. Use the no form with the vlan keyword to remove the S-VLAN from the specified MA. Or use the no form with only the index keyword to remove the MA from the current domain.
Chapter 27 | CFM Commands Defining CFM Structures ◆ Before removing an MA, first remove all the MEPs configured for it (see the mep crosscheck mpid command). ◆ If the MIP creation method is not defined by this command, the creation method defined by the ethernet cfm domain command is applied to this MA. For a detailed description of the MIP types, refer to the Command Usage section under the ethernet cfm domain command.
Chapter 27 | CFM Commands Defining CFM Structures ethernet cfm mep This command sets an interface as a domain boundary, defines it as a maintenance end point (MEP), and sets direction of the MEP in regard to sending and receiving CFM messages. Use the no form to delete a MEP. Syntax ethernet cfm mep mpid mpid md domain-name ma ma-name [up] no ethernet cfm mep mpid mpid ma ma-name mpid – Maintenance end point identifier. (Range: 1-8191) domain-name – Domain name.
Chapter 27 | CFM Commands Defining CFM Structures ethernet cfm This command enables CFM processing on an interface. Use the no form to disable port-enable CFM processing on an interface. Syntax [no] ethernet cfm port-enable Default Setting Enabled Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ An interface must be enabled before a MEP can be created with the ethernet cfm mep command.
Chapter 27 | CFM Commands Defining CFM Structures Command Usage This command can be used to clear AIS defect entries if a MEP does not exit the AIS state when all errors are resolved. Example This example clears AIS defect entries on port 1. Console#clear ethernet cfm ais mpid 1 md voip ma rd Console# show ethernet cfm This command displays CFM configuration settings, including global settings, configuration SNMP traps, and interface settings.
Chapter 27 | CFM Commands Defining CFM Structures This example shows the configuration status for continuity check and cross-check traps.
Chapter 27 | CFM Commands Defining CFM Structures show ethernet cfm md This command displays the configured maintenance domains. Syntax show ethernet cfm md [level level] level – Maintenance level. (Range: 0-7) Default Setting None Command Mode Privileged Exec Example This example shows all configured maintenance domains. Console#show ethernet cfm md MD Index MD Name -------- -------------------1 rd Console# Level ----0 MIP Creation -----------default Archive Hold Time (m.
Chapter 27 | CFM Commands Defining CFM Structures show ethernet cfm This command displays the maintenance points configured on this device. maintenance-points local Syntax show ethernet cfm maintenance-points local {mep [domain domain-name | interface interface | level level-id] | mip [domain domain-name | level level-id]} mep – Displays only local maintenance end points. mip – Displays only local maintenance intermediate points. domain-name – Domain name.
Chapter 27 | CFM Commands Defining CFM Structures show ethernet cfm This command displays detailed CFM information about a local MEP in the maintenance-points continuity check database. local detail mep Syntax show ethernet cfm maintenance-points local detail mep [domain domain-name | interface interface | level level-id] domain-name – Domain name. (Range: 1-43 alphanumeric characters) interface – Displays CFM status for the specified interface. ethernet unit/port unit - Unit identifier.
Chapter 27 | CFM Commands Defining CFM Structures Table 156: show ethernet cfm maintenance-points local detail mep - display Field Description MPID MEP identifier MD Name The maintenance domain for this entry.
Chapter 27 | CFM Commands Defining CFM Structures Default Setting None Command Mode Privileged Exec Command Usage Use the mpid keyword with this command to display information about a specific maintenance point, or use the mac keyword to display information about all maintenance points that have the specified MAC address. Example This example shows detailed information about the remote MEP designated by MPID 2.
Chapter 27 | CFM Commands Continuity Check Operations Table 157: show ethernet cfm maintenance-points remote detail - display Field Description Port State Port states include: Up – The port is functioning normally. Blocked – The port has been blocked by the Spanning Tree Protocol. No port state – Either no CCM has been received, or nor port status TLV was received in the last CCM.
Chapter 27 | CFM Commands Continuity Check Operations CCMs are issued should therefore be configured to detect connectivity problems in a timely manner, as dictated by the nature and size of the MA. ◆ The maintenance of a MIP CCM database by a MIP presents some difficulty for bridges carrying a large number of Service Instances, and for whose MEPs are issuing CCMs at a high frequency. For this reason, slower CCM transmission rates may have to be used.
Chapter 27 | CFM Commands Continuity Check Operations ◆ If a maintenance point receives a CCM with an invalid MEPID or MA level or an MA level lower than its own, a failure is registered which indicates a configuration error or cross-connect error (i.e., overlapping MAs). Example This example enables continuity check messages for the specified maintenance association.
Chapter 27 | CFM Commands Continuity Check Operations Example This example enables SNMP traps for mep-up events. Console(config)#snmp-server enable traps ethernet cfm cc mep-up Console(config)# Related Commands ethernet cfm mep crosscheck (829) mep archive-hold- This command sets the time that data from a missing MEP is retained in the time continuity check message (CCM) database before being purged. Use the no form to restore the default setting.
Chapter 27 | CFM Commands Continuity Check Operations Default Setting None Command Mode Privileged Exec Command Usage Use this command without any keywords to clear all entries in the CCM database. Use the domain keyword to clear the CCM database for a specific domain, or the level keyword to clear it for a specific maintenance level.
Chapter 27 | CFM Commands Continuity Check Operations show ethernet cfm This command displays the CFM continuity check errors logged on this device. errors Syntax show ethernet cfm errors [domain domain-name | level level-id] domain-name – Domain name. (Range: 1-43 alphanumeric characters) level-id – Authorized maintenance level for this domain.
Chapter 27 | CFM Commands Cross Check Operations Cross Check Operations ethernet cfm mep This command sets the maximum delay that a device waits for remote MEPs to crosscheck start-delay come up before starting the cross-check operation. Use the no form to restore the default setting. Syntax ethernet cfm mep crosscheck start-delay delay no ethernet cfm mep crosscheck start-delay delay – The time a device waits for remote MEPs to come up before the cross-check is started.
Chapter 27 | CFM Commands Cross Check Operations mep-unknown – Sends a trap if an unconfigured MEP comes up. Default Setting All continuity checks are enabled. Command Mode Global Configuration Command Usage ◆ For this trap type to function, cross-checking must be enabled on the required maintenance associations using the ethernet cfm mep crosscheck command.
Chapter 27 | CFM Commands Cross Check Operations Command Usage ◆ Use this command to statically configure remote MEPs that exist inside the maintenance association. These remote MEPs are used in the cross-check operation to verify that all endpoints in the specified MA are operational. ◆ Remote MEPs can only be configured with this command if domain service access points (DSAPs) have already been created with the ethernet cfm mep command at the same maintenance level and in the same MA.
Chapter 27 | CFM Commands Link Trace Operations ◆ The cross-check process is disabled by default, and must be manually started using this command with the enable keyword. Example This example enables cross-checking within the specified maintenance association. Console#ethernet cfm mep crosscheck enable md voip ma rd Console# show ethernet cfm This command displays information about remote MEPs statically configured in a maintenance-points cross-check list.
Chapter 27 | CFM Commands Link Trace Operations Command Mode Global Configuration Command Usage ◆ A link trace message is a multicast CFM frame initiated by a MEP, and forwarded from MIP to MIP, with each MIP generating a link trace reply, up to the point at which the link trace message reaches its destination or can no longer be forwarded. ◆ Use this command to enable the link trace cache to store the results of link trace operations initiated on this device.
Chapter 27 | CFM Commands Link Trace Operations Example This example sets the aging time for entries in the link trace cache to 60 minutes. Console(config)#ethernet cfm linktrace cache hold-time 60 Console(config)# ethernet cfm linktrace This command sets the maximum size for the link trace cache. Use the no form to cache size restore the default setting.
Chapter 27 | CFM Commands Link Trace Operations ethernet cfm linktrace This command sends CFM link trace messages to the MAC address of a remote MEP. Syntax ethernet cfm linktrace {dest-mep destination-mpid | src-mep source-mpid {dest-mep destination-mpid | mac-address} | mac-address} md domain-name ma ma-name [priority level | ttl number] destination-mpid – The identifier of a remote MEP that is the target of the link trace message.
Chapter 27 | CFM Commands Link Trace Operations ◆ When using the command line or web interface, the source MEP used by to send a link trace message is chosen by the CFM protocol. However, when using SNMP, the source MEP can be specified by the user. Example This example sends a link trace message to the specified MEP with a maximum hop count of 25. Console#ethernet cfm linktrace dest-mep 2 md voip ma rd ttl 25 Console# clear ethernet cfm This command clears link trace messages logged on this device.
Chapter 27 | CFM Commands Loopback Operations Table 159: show ethernet cfm linktrace-cache - display description (Continued) Field Description Ing. Action Action taken on the ingress port: IngOk – The target data frame passed through to the MAC Relay Entity. IngDown – The bridge port’s MAC_Operational parameter is false.
Chapter 27 | CFM Commands Fault Generator Operations packet-size – The size of the loopback message. (Range: 64-1518 bytes) Default Setting Loop back count: One loopback message is sent. Loop back size: 64 bytes Command Mode Privileged Exec Command Usage ◆ Use this command to test the connectivity between maintenance points. If the continuity check database does not have an entry for the specified maintenance point, an error message will be displayed.
Chapter 27 | CFM Commands Fault Generator Operations alarm-time – The time that one or more defects must be present before a fault alarm is generated.
Chapter 27 | CFM Commands Fault Generator Operations an appropriate SNMP software tool, diagnose the fault, correct it, re-examine the MEP’s managed objects to see whether the MEP fault notification generator state machine has been reset, and repeat those steps until the fault is resolved. ◆ Only the highest priority defect currently detected is reported in the fault alarm.
Chapter 27 | CFM Commands Fault Generator Operations mep fault-notify This command configures the time after a fault alarm has been issued, and no reset-time defect exists, before another fault alarm can be issued. Use the no form to restore the default setting. Syntax mep fault-notify reset-time reset-time no fault-notify reset-time reset-time – The time that must pass without any further defects indicated before another fault alarm can be generated.
Chapter 27 | CFM Commands Delay Measure Operations Table 162: show fault-notify-generator - display description Field Description MD Name The maintenance domain for this entry. MA Name The maintenance association for this entry. Hihest Defect The highest defect that will generate a fault alarm. (This is disabled by default.) Lowest Alarm The lowest defect that will generate a fault alarm (see the mep fault-notify lowest-priority command).
Chapter 27 | CFM Commands Delay Measure Operations Default Setting Count: 5 Interval: 1 second Size: 64 bytes Timeout: 5 seconds Command Mode Privileged Exec Command Usage ◆ Delay measurement can be used to measure frame delay and frame delay variation between MEPs. ◆ A local MEP must be configured for the same MA before you can use this command. ◆ If a MEP is enabled to generate frames with delay measurement (DM) information, it periodically sends DM frames to its peer MEP in the same MA.
Chapter 27 | CFM Commands Delay Measure Operations – 842 –
28 OAM Commands The switch provides OAM (Operation, Administration, and Maintenance) remote management tools required to monitor and maintain the links to subscriber CPEs (Customer Premise Equipment). This section describes functions including enabling OAM for selected ports, loop back testing, and displaying device information.
Chapter 28 | OAM Commands efm oam This command enables OAM functions on the specified port. Use the no form to disable this function. Syntax [no] efm oam Default Setting Disabled Command Mode Interface Configuration Command Usage If the remote device also supports OAM, both exchange Information OAMPDUs to establish an OAM link. ◆ ◆ Not all CPEs support OAM functions, and OAM is therefore disabled by default.
Chapter 28 | OAM Commands ◆ Dying gasp events are caused by an unrecoverable failure, such as a power failure or device reset. Note: When system power fails, the switch will always send a dying gasp trap message prior to power down. Example Console(config)#interface ethernet 1/1 Console(config-if)#efm oam critical-link-event dying-gasp Console(config-if)# efm oam This command enables reporting of errored frame link events. Use the no form to link-monitor frame disable this function.
Chapter 28 | OAM Commands count - The threshold for errored frame link events. (Range: 1-65535) Default Setting 1 Command Mode Interface Configuration Command Usage If this feature is enabled, an event notification message is sent if the threshold is reached or exceeded within the period specified by the efm oam link-monitor frame window command. The Errored Frame Event TLV includes the number of errored frames detected during the specified period.
Chapter 28 | OAM Commands Console(config)#interface ethernet 1/1 Console(config-if)#efm oam link-monitor frame window 50 Console(config-if)# efm oam mode This command sets the OAM mode on the specified port. Use the no form to restore the default setting. Syntax efm oam mode {active | passive} no efm oam mode active - All OAM functions are enabled. passive - All OAM functions are enabled, except for OAM discovery, and sending loopback control OAMPDUs.
Chapter 28 | OAM Commands Example Console#clear efm oam counters Console# Related Commands show efm oam counters interface (850) clear efm oam This command clears all entries from the OAM event log for the specified port. event-log Syntax clear efm oam event-log [interface-list] unit - Unit identifier. (Range: 1) port - Port number or list of ports. To enter a list, separate nonconsecutive port identifiers with a comma and no spaces; use a hyphen to designate a range of ports.
Chapter 28 | OAM Commands Command Usage ◆ OAM remote loop back can be used for fault localization and link performance testing. Statistics from both the local and remote DTE can be queried and compared at any time during loop back testing. ◆ Use the efm oam remote-loopback start command to start OAM remote loop back test mode on the specified port. Afterwards, use the efm oam remoteloopback test command to start sending test packets.
Chapter 28 | OAM Commands Command Usage ◆ You can use this command to perform an OAM remote loopback test on the specified port. The port that you specify to run this test must be connected to a peer OAM device capable of entering into OAM remote loopback mode. ◆ During a remote loopback test, the remote OAM entity loops back every frame except for OAMPDUs and pause frames. ◆ OAM remote loopback can be used for fault localization and link performance testing.
Chapter 28 | OAM Commands show efm oam This command displays the OAM event log for the specified port(s) or for all ports event-log interface that have logs. show efm oam event-log interface [interface-list] interface-list - unit/port unit - Unit identifier. (Range: 1) port - Port number or list of ports. To enter a list, separate nonconsecutive port identifiers with a comma and no spaces; use a hyphen to designate a range of ports.
Chapter 28 | OAM Commands Console#show efm oam event-log interface 1/1 <--- When dying gasp happens and the switch get these packets, it will log this event in OAM event-log.
Chapter 28 | OAM Commands port - Port number or list of ports. To enter a list, separate nonconsecutive port identifiers with a comma and no spaces; use a hyphen to designate a range of ports. (Range: 1-28) brief - Displays a brief list of OAM configuration states.
Chapter 28 | OAM Commands ---- ----------------- ------ -------- -------------- ------- -----------1/1 00-12-CF-6A-07-F6 000084 Enabled Disabled Enabled Disabled Console# – 854 –
29 Domain Name Service Commands These commands are used to configure Domain Naming System (DNS) services. Entries can be manually configured in the DNS domain name to IP address mapping table, default domain names configured, or one or more name servers specified to use for domain name to address translation. Note that domain name services will not be enabled until at least one name server is specified with the ip name-server command and domain lookup is enabled with the ip domain-lookup command.
Chapter 29 | Domain Name Service Commands ip domain-list This command defines a list of domain names that can be appended to incomplete host names (i.e., host names passed from a client that are not formatted with dotted notation). Use the no form to remove a name from this list. Syntax [no] ip domain-list name name - Name of the host. Do not include the initial dot that separates the host name from the domain name.
Chapter 29 | Domain Name Service Commands ip domain-lookup This command enables DNS host name-to-address translation. Use the no form to disable DNS. Syntax [no] ip domain-lookup Default Setting Disabled Command Mode Global Configuration Command Usage At least one name server must be specified before DNS can be enabled.
Chapter 29 | Domain Name Service Commands ip domain-name This command defines the default domain name appended to incomplete host names (i.e., host names passed from a client that are not formatted with dotted notation). Use the no form to remove the current domain name. Syntax ip domain-name name no ip domain-name name - Name of the host. Do not include the initial dot that separates the host name from the domain name.
Chapter 29 | Domain Name Service Commands Command Usage Use the no ip host command to clear static entries, or the clear host command to clear dynamic entries. Example This example maps an IPv4 address to a host name. Console(config)#ip host rd5 192.168.1.55 Console(config)#end Console#show hosts No. Flag Type IP Address TTL Domain ---- ---- ------- -------------------- ----- -----------------------------0 2 Address 192.168.1.
Chapter 29 | Domain Name Service Commands sample.com.uk Name Server List: 192.168.1.55 10.1.0.55 Console# Related Commands ip domain-name (858) ip domain-lookup (857) ipv6 host This command creates a static entry in the DNS table that maps a host name to an IPv6 address. Use the no form to remove an entry. Syntax [no] ipv6 host name ipv6-address name - Name of an IPv6 host. (Range: 1-127 characters) ipv6-address - Corresponding IPv6 address.
Chapter 29 | Domain Name Service Commands clear dns cache This command clears all entries in the DNS cache. Command Mode Privileged Exec Example Console#clear dns cache Console#show dns cache No. Flag Type IP Address TTL Host ------- ------- ------- --------------- ------- -------Console# clear host This command deletes dynamic entries from the DNS table. Syntax clear host {name | *} name - Name of the host. (Range: 1-127 characters) * - Removes all entries.
Chapter 29 | Domain Name Service Commands Example Console#show dns Domain Lookup Status: DNS enabled Default Domain Name: sample.com Domain Name List: sample.com.jp sample.com.uk Name Server List: 192.168.1.55 10.1.0.55 Console# show dns cache This command displays entries in the DNS cache. Command Mode Privileged Exec Example Console#show dns cache No. Flag Type ------- ------- ------0 4 Host 1 4 Host 2 4 Host 3 4 CNAME Console# IP Address TTL Host --------------- ------- -------52.196.118.60 3501 www.
Chapter 29 | Domain Name Service Commands Example Note that a host name will be displayed as an alias if it is mapped to the same address(es) as a previously configured entry. Console#show hosts No. Flag Type IP Address ---- ---- ------- -------------------0 2 Address 192.168.2.1 1 4 Address 52.196.118.60 2 4 Address 166.62.56.229 3 4 Address 35.201.87.174 4 4 CNAME POINTER TO:3 Console# TTL Host ----- ---------------------------------rdrouter 3341 www.accton.com 21381 www.edge-core.com 1627 ignitenet.
Chapter 29 | Domain Name Service Commands – 864 –
30 DHCP Commands These commands are used to configure Dynamic Host Configuration Protocol (DHCP) client functions. and relay functions. Any VLAN interface on this switch can be configured to automatically obtain an IP address through DHCP. This switch can also be configured to relay DHCP client configuration requests to a DHCP server on another network.
Chapter 30 | DHCP Commands DHCP Client DHCP for IPv4 ip dhcp client class-id This command specifies the DCHP client vendor class identifier for the current interface. Use the no form to remove the class identifier from the DHCP packet. Syntax ip dhcp client class-id [text text | hex hex] no ip dhcp client class-id text - A text string. (Range: 1-32 characters) hex - A hexadecimal value. (Range: 1-64 characters) Default Setting Class identifier option enabled, with the name of the switch.
Chapter 30 | DHCP Commands DHCP Client Table 170: Options 55 and 124 Statements Statement Option Keyword Parameter 55 dhcp-parameter-request-list a list of parameters, separated by ',' 124 vendor-class-identifier a string indicating the vendor class identifier ◆ The server should reply with Option 66 attributes, including the TFTP server name and boot file name.
Chapter 30 | DHCP Commands DHCP Client Example In the following example, the device is reassigned the same address. Console(config)#interface vlan 1 Console(config-if)#ip address dhcp Console(config-if)#end Console#ip dhcp restart client Console#show ip interface VLAN 1 is Administrative Up - Link Up Address is 8C-EA-1B-B7-C9-F4 Index: 1001, MTU: 1500 Address Mode is DHCP IP Address: 192.168.2.218 Mask: 255.255.255.
Chapter 30 | DHCP Commands DHCP Relay Option 82 ◆ If the rapid commit option has been enabled on the switch with this command, and on the DHCPv6 server, message exchange can be reduced from the normal four step process to a two-step exchange of only solicit and reply messages. Example Console(config)#ipv6 dhcp client rapid-commit vlan 2 Console(config)# DHCP Relay Option 82 This section describes commands used to configure the switch to relay DHCP requests from local hosts to a remote DHCP server.
Chapter 30 | DHCP Commands DHCP Relay Option 82 Default Setting Enabled Example Console(config)#ip dhcp l3 relay Console(config)# ip dhcp relay server This command specifies the DHCP server or relay server addresses to use. Use the no form to clear all addresses. Syntax ip dhcp relay server address1 [address2 [address3 ...]] no ip dhcp relay server address - IP address of DHCP server.
Chapter 30 | DHCP Commands DHCP Relay Option 82 Example Console(config)#ip dhcp relay server 192.168.10.19 Console(config)# ip dhcp relay This command enables DHCP Option 82 information relay, and specifies the frame information option format to use for the remote-id when Option 82 information is generated by the switch. Use the no form of this command to disable this feature.
Chapter 30 | DHCP Commands DHCP Relay Option 82 ◆ By default, the relay agent also fills in the Option 82 circuit-id field with information indicating the local interface over which the switch received the DHCP client request, including the VLAN ID, stack unit, and port. This allows DHCP client-server exchange messages to be forwarded between the server and client without having to flood them onto the entire VLAN.
Chapter 30 | DHCP Commands DHCP Relay Option 82 ◆ DHCP packets are flooded onto the VLAN which received them if DHCP relay service is enabled on the switch and any of the following situations apply: ■ There is no DHCP relay server set on the switch, when the switch receives a DHCP packet. ■ A DHCP relay server has been set on the switch, when the switch receives a DHCP request packet with a non-zero relay agent address field (that is not the address of this switch).
Chapter 30 | DHCP Commands DHCP Relay Option 82 ip dhcp relay This command specifies how to handle client requests which already contain DHCP information policy Option 82 information. Syntax ip dhcp relay information policy {drop | keep | replace} drop - Floods the original request packet onto the VLAN that received it instead of relaying it. keep - Retains the Option 82 information in the client request, inserts the relay agent’s address, and unicasts the packet to the DHCP server.
Chapter 30 | DHCP Commands DHCP Server Example Console#show ip dhcp relay L2 relay: enabled. Status of DHCP relay information: Insertion of relay information: disabled. DHCP option policy: drop. DHCP relay-server address: 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.
Chapter 30 | DHCP Commands DHCP Server Table 172: DHCP Server Commands (Continued) Command Function lease Sets the duration an IP address is assigned to a DHCP client DC netbios-name-server Configures NetBIOS Windows Internet Naming Service (WINS) name servers available to Microsoft DHCP clients DC netbios-node-type Configures NetBIOS node type for Microsoft DHCP clients DC network Configures the subnet number and mask for a DHCP address pool DC next-server Configures the next server in the b
Chapter 30 | DHCP Commands DHCP Server name - A string or integer. (Range: 1-32 characters) Default Setting DHCP address pools are not configured. Command Mode Global Configuration Usage Guidelines ◆ After executing this command, the switch changes to DHCP Pool Configuration mode, identified by the (config-dhcp)# prompt. ◆ From this mode, first configure address pools for the network interfaces (using the network command).
Chapter 30 | DHCP Commands DHCP Server Example Console(config)#service dhcp Console(config)# bootfile This command specifies the name of the default boot image for a DHCP client. This file should placed on the Trivial File Transfer Protocol (TFTP) server specified with the next-server command. Use the no form to delete the boot image name. Syntax bootfile filename no bootfile filename - Name of the file that is used as a default boot image.
Chapter 30 | DHCP Commands DHCP Server Command Usage ◆ This command identifies a DHCP client to bind to an address specified in the host command. If both a client identifier and hardware address are configured for a host address, the client identifier takes precedence over the hardware address in the search procedure. ◆ BOOTP clients cannot transmit a client identifier. To bind an address to a BOOTP client, you must associate a hardware address with the host entry.
Chapter 30 | DHCP Commands DHCP Server Syntax dns-server address1 [address2] no dns-server address1 - Specifies the IP address of the primary DNS server. address2 - Specifies the IP address of the alternate DNS server. Default Setting None Command Mode DHCP Pool Configuration Usage Guidelines ◆ If DNS IP servers are not configured for a DHCP client, the client cannot correlate host names to IP addresses. ◆ Servers are listed in order of preference (starting with address1 as the most preferred server).
Chapter 30 | DHCP Commands DHCP Server hardware-address This command specifies the hardware address of a DHCP client. This command is valid for manual bindings only. Use the no form to remove the hardware address. Syntax hardware-address hardware-address type no hardware-address hardware-address - Specifies the MAC address of the client device.
Chapter 30 | DHCP Commands DHCP Server Command Mode DHCP Pool Configuration Usage Guidelines ◆ Host addresses must fall within the range specified for an existing network pool. ◆ When a client request is received, the switch first checks for a network address pool matching the gateway where the request originated (i.e., if the request was forwarded by a relay server). If there is no gateway in the client request (i.e.
Chapter 30 | DHCP Commands DHCP Server days - Specifies the duration of the lease in numbers of days. (Range: 0-364) hours - Specifies the number of hours in the lease. A days value must be supplied before you can configure hours. (Range: 0-23) minutes - Specifies the number of minutes in the lease. A days and hours value must be supplied before you can configure minutes. (Range: 0-59) infinite - Specifies that the lease time is unlimited.
Chapter 30 | DHCP Commands DHCP Server Example Console(config-dhcp)#netbios-name-server 10.1.0.33 10.1.0.34 Console(config-dhcp)# Related Commands netbios-node-type (884) netbios-node-type This command configures the NetBIOS node type for Microsoft DHCP clients. Use the no form to remove the NetBIOS node type.
Chapter 30 | DHCP Commands DHCP Server network-number - The IP address of the DHCP address pool. mask - The bit combination that identifies the network (or subnet) and the host portion of the DHCP address pool. Command Mode DHCP Pool Configuration Usage Guidelines ◆ When a client request is received, the switch first checks for a network address pool matching the gateway where the request originated (i.e., if the request was forwarded by a relay server). If there is no gateway in the client request (i.e.
Chapter 30 | DHCP Commands DHCP Server Command Mode DHCP Pool Configuration Example Console(config-dhcp)#next-server 10.1.0.21 Console(config-dhcp)# Related Commands bootfile (878) clear ip dhcp binding This command deletes an automatic address binding from the DHCP server database. Syntax clear ip dhcp binding {address | * } address - The address of the binding to clear. * - Clears all automatic bindings.
Chapter 30 | DHCP Commands DHCP Server show ip dhcp This command displays a brief list of DHCP address pools configured on the switch. Command Mode Privileged Exec Example Console#show ip dhcp Name Type IP Address Mask Active Pool -------- ---- --------------- --------------- ------------------------------tps Net 192.168.1.0 255.255.255.0 192.168.1.1 - 192.168.1.254 Total entry : 1 Console# show ip dhcp binding This command displays address bindings on the DHCP server.
Chapter 30 | DHCP Commands DHCP Dynamic Provisioning Default Setting None Command Mode Privileged Exec Example Console#show ip dhcp pool Pool name : R&D Pool type : Network Network address Subnet mask : 192.168.0.1 : 255.255.255.0 Boot file : Client identifier mode : Hex Client identifier : Default router : 0.0.0.0 0.0.0.0 DNS server : 0.0.0.0 0.0.0.0 Domain name : Hardware type : None Hardware address : 00-00-00-00-00-00 Lease time : infinite Netbios name server : 0.0.0.0 0.0.0.
Chapter 30 | DHCP Commands DHCP Dynamic Provisioning Table 173: DHCP Client Commands Command Function Mode ipv6 dhcp dynamic -provision Specifies the Rapid Commit option for DHCPv6 message GC exchange show ipv6 dhcp dynamicprovision Specifies the Rapid Commit option for DHCPv6 message GC exchange ip dhcp dynamic- Use this command to enable dynamic provision through DHCP protocol. Use the no provision form of the command to disable it.
Chapter 30 | DHCP Commands DHCP Dynamic Provisioning ◆ Once a configuration file has been downloaded using TFTP, the dynamic provision process will stop. ◆ The configuration file size stored on the remote server must be smaller than the available memory of the switch. ◆ To comply with TFTP the boot filename length on the server can be a maximum of 127 characters whereas on the switch only 32 characters are supported.
Chapter 30 | DHCP Commands DHCP Dynamic Provisioning ipv6 dhcp dynamic - Use this command to enable dynamic provision through DHCPv6 protocol. Use the provision no form of the command to disable it. [no] ipv6 dhcp dynamic-provision Default Setting Disabled Command Mode Global Configuration Command Usage The switch will use a DHCPv6 server specified configuration file when the switch is assigned an IPv6 address from a DHCPv6 server.
Chapter 30 | DHCP Commands DHCP Dynamic Provisioning ◆ If the configuration filename on the remote TFTPv6 server matches a configuration filename on the switch, the switch file will be overwritten. ◆ If the configuration filename on the remote TFTPv6 server matches the factory default filename, the download will fail.
31 IP Interface Commands An IP Version 4 and Version 6 address may be used for management access to the switch over the network. Both IPv4 or IPv6 addresses can be used simultaneously to access the switch. You can manually configure a specific IPv4 or IPv6 address or direct the switch to obtain an IPv4 address from a BOOTP or DHCP server when it is powered on. An IPv6 address can either be manually configured or dynamically generated.
Chapter 31 | IP Interface Commands IPv4 Interface Basic IPv4 Configuration This section describes commands used to configure IP addresses for VLAN interfaces on the switch.
Chapter 31 | IP Interface Commands IPv4 Interface Command Usage ◆ If this router is directly connected to end node devices (or connected to end nodes via shared media) that will be assigned to a specific subnet, then you must create a router interface for each VLAN that will support routing. The router interface consists of an IP address and subnet mask. This interface address defines both the network number to which the router interface is attached and the router’s host number on that network.
Chapter 31 | IP Interface Commands IPv4 Interface Example In the following example, the device is assigned an address in VLAN 1. Console(config)#interface vlan 1 Console(config-if)#ip address 192.168.1.5 255.255.255.0 Console(config-if)# This example assigns an IP address to VLAN 2 using a classless network mask. Console(config)#interface vlan 2 Console(config-if)#ip address 10.2.2.
Chapter 31 | IP Interface Commands IPv4 Interface after the % delimiter. For example, FE80::7272%1 identifies VLAN 1 as the interface. Example The following example defines a default gateway for this device: Console(config)#ip default-gateway 192.168.2.
Chapter 31 | IP Interface Commands IPv4 Interface show ip traffic This command displays statistics for IP, ICMP, UDP, TCP and ARP protocols.
Chapter 31 | IP Interface Commands IPv4 Interface input errors 5867 output Console# traceroute This command shows the route packets take to the specified destination. Syntax traceroute host host - IP address or alias of the host. Default Setting None Command Mode Privileged Exec Command Usage ◆ Use the traceroute command to determine the path taken to reach a specified destination.
Chapter 31 | IP Interface Commands IPv4 Interface Traceroute to 192.168.2.243, 30 hops max, timeout is 3 seconds Hop Packet 1 Packet 2 Packet 3 IP Address --- -------- -------- -------- --------------1 20 ms 10 ms 10 ms 192.168.2.243 Trace completed. Console# ping This command sends (IPv4) ICMP echo request packets to another node on the network. Syntax ping host [count count] [size size] host - IP address or alias of the host. count - Number of packets to send.
Chapter 31 | IP Interface Commands IPv4 Interface Example Console#ping 10.1.0.9 Press ESC to abort. PING to 10.1.0.9, by 5 32-byte payload ICMP packets, timeout is 5 seconds response time: 10 ms response time: 10 ms response time: 10 ms response time: 10 ms response time: 0 ms Ping statistics for 10.1.0.
Chapter 31 | IP Interface Commands IPv4 Interface Command Usage ◆ The ARP cache is used to map 32-bit IP addresses into 48-bit hardware (i.e., Media Access Control) addresses. This cache includes entries for hosts and other routers on local network interfaces defined on this router. ◆ The maximum number of static entries allowed in the ARP cache is 32. ◆ A static entry may need to be used if there is no response to an ARP broadcast message.
Chapter 31 | IP Interface Commands IPv4 Interface Example Console(config)#interface vlan 3 Console(config-if)#ip proxy-arp Console(config-if)# arp timeout This command sets the aging time for dynamic entries in the Address Resolution Protocol (ARP) cache. Use the no form to restore the default timeout. Syntax arp timeout seconds no arp timeout seconds - The time a dynamic entry remains in the ARP cache.
Chapter 31 | IP Interface Commands IPv4 Interface clear arp-cache This command deletes all dynamic entries from the Address Resolution Protocol (ARP) cache. Command Mode Privileged Exec Example This example clears all dynamic entries in the ARP cache. Console#clear arp-cache This operation will delete all the dynamic entries in ARP Cache. Do you want to continue this operation (y/n)?y Console# show arp This command displays entries in the Address Resolution Protocol (ARP) cache.
Chapter 31 | IP Interface Commands IPv6 Interface IPv6 Interface This switch supports the following IPv6 interface commands.
Chapter 31 | IP Interface Commands IPv6 Interface Table 178: IPv6 Configuration Commands (Continued) Command Function Mode ipv6 nd ra interval Configures the time between sending IPv6 router advertisements IC ipv6 nd ra lifetime Configures the lifetime of IPv6 router advertisements IC ipv6 nd ra routerpreference Sets the routers default routing preference IC ipv6 nd ra suppress Suppresses the sending of periodic router advertisements IC ipv6 nd raguard Blocks incoming Router Advertisement an
Chapter 31 | IP Interface Commands IPv6 Interface ◆ An IPv6 default gateway must be defined if a destination is located in a different IP segment. An IPv6 default gateway can only be successfully set when a network interface that directly connects to the gateway has been configured on the switch.
Chapter 31 | IP Interface Commands IPv6 Interface ◆ If a link-local address has not yet been assigned to this interface, this command will assign the specified static global unicast address and also dynamically generate a link-local unicast address for the interface. (The link-local address is made with an address prefix of FE80 and a host portion based the switch’s MAC address in modified EUI-64 format.) ◆ If a duplicate address is detected, a warning message is sent to the console.
Chapter 31 | IP Interface Commands IPv6 Interface Command Mode Interface Configuration (VLAN) Command Usage ◆ If a link local address has not yet been assigned to this interface, this command will dynamically generate a global unicast address (if a global prefix is included in received router advertisements) and a link local address for the interface. (The link-local address is made with an address prefix of FE80 and a host portion based the switch’s MAC address in modified EUI-64 format.
Chapter 31 | IP Interface Commands IPv6 Interface ipv6 address dhcp This command enables IPv6 DHCP client functionality on an interface so that it can acquire a stateful IPv6 address. Use the no form of the command to disabled the IPv6 DHCP client.
Chapter 31 | IP Interface Commands IPv6 Interface ipv6-prefix - The IPv6 network portion of the address assigned to the interface. prefix-length - A decimal value indicating how many contiguous bits (from the left) of the address comprise the prefix (i.e., the network portion of the address).
Chapter 31 | IP Interface Commands IPv6 Interface Example This example uses the network prefix of 2001:0DB8:0:1::/64, and specifies that the EUI-64 interface identifier be used in the lower 64 bits of the address. Console(config)#interface vlan 1 Console(config-if)#ipv6 address 2001:0DB8:0:1::/64 eui-64 Console(config-if)#end Console#show ipv6 interface VLAN 1 is up IPv6 is stale.
Chapter 31 | IP Interface Commands IPv6 Interface Command Usage ◆ The specified address must be formatted according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values. One double colon may be used in the address to indicate the appropriate number of zeros required to fill the undefined fields. And the address prefix must be in the range of FE80~FEBF.
Chapter 31 | IP Interface Commands IPv6 Interface ipv6 enable This command enables IPv6 on an interface that has not been configured with an explicit IPv6 address. Use the no form to disable IPv6 on an interface that has not been configured with an explicit IPv6 address. Syntax [no] ipv6 enable Default Setting IPv6 is disabled Command Mode Interface Configuration (VLAN) Command Usage ◆ This command enables IPv6 on the current VLAN interface and automatically generates a link-local unicast address.
Chapter 31 | IP Interface Commands IPv6 Interface ND advertised reachable time is 0 milliseconds ND advertised router lifetime is 1800 seconds Console# Related Commands ipv6 address link-local (912) show ipv6 interface (916) ipv6 mtu This command sets the size of the maximum transmission unit (MTU) for IPv6 packets sent on an interface. Use the no form to restore the default setting. Syntax ipv6 mtu size no ipv6 mtu size - Specifies the MTU size.
Chapter 31 | IP Interface Commands IPv6 Interface Related Commands show ipv6 mtu (918) jumbo frame (124) show ipv6 interface This command displays the usability and configured settings for IPv6 interfaces. Syntax show ipv6 interface [brief [vlan vlan-id [ipv6-prefix/prefix-length]]] brief - Displays a brief summary of IPv6 operational status and the addresses configured for each interface. vlan-id - VLAN ID (Range: 1-4094) ipv6-prefix - The IPv6 network portion of the address assigned to the interface.
Chapter 31 | IP Interface Commands IPv6 Interface Table 179: show ipv6 interface - display description Field Description VLAN A VLAN is marked “up” if the switch can send and receive packets on this interface, “down” if a line signal is not present, or “administratively down” if the interface has been disabled by the administrator.
Chapter 31 | IP Interface Commands IPv6 Interface VLAN 1 Console# Up Up fe80::269:3ef9:fe19:6779/64 Related Commands show ip interface (897) show ipv6 mtu This command displays the maximum transmission unit (MTU) cache for destinations that have returned an ICMP packet-too-big message along with an acceptable MTU to this switch.
Chapter 31 | IP Interface Commands IPv6 Interface too big errors no routes address errors unknown protocols truncated packets discards delivers reassembly request datagrams reassembly succeeded reassembly failed IPv6 sent forwards datagrams 15 requests discards no routes generated fragments fragment succeeded fragment failed ICMPv6 Statistics: ICMPv6 received input errors destination unreachable messages packet too big messages time exceeded messages parameter problem message echo request messages echo rep
Chapter 31 | IP Interface Commands IPv6 Interface Table 181: show ipv6 traffic - display description Field Description IPv6 Statistics IPv6 received total received The total number of input datagrams received by the interface, including those received in error. header errors The number of input datagrams discarded due to errors in their IPv6 headers, including version number mismatch, other format errors, hop count exceeded, IPv6 options, etc.
Chapter 31 | IP Interface Commands IPv6 Interface Table 181: show ipv6 traffic - display description (Continued) Field Description IPv6 sent forwards datagrams The number of output datagrams which this entity received and forwarded to their final destinations. In entities which do not act as IPv6 routers, this counter will include only those packets which were SourceRouted via this entity, and the Source-Route processing was successful.
Chapter 31 | IP Interface Commands IPv6 Interface Table 181: show ipv6 traffic - display description (Continued) Field Description neighbor solicit messages The number of ICMP Neighbor Solicit messages received by the interface. neighbor advertisement messages The number of ICMP Neighbor Advertisement messages received by the interface. redirect messages The number of Redirect messages received by the interface.
Chapter 31 | IP Interface Commands IPv6 Interface Table 181: show ipv6 traffic - display description (Continued) Field Description other errors The number of received UDP datagrams that could not be delivered for reasons other than the lack of an application at the destination port. output The total number of UDP datagrams sent from this entity. clear ipv6 traffic This command resets IPv6 traffic counters.
Chapter 31 | IP Interface Commands IPv6 Interface Command Usage ◆ Use the ping6 command to see if another site on the network can be reached, or to evaluate delays over the path. ◆ The same link-local address may be used by different interfaces/nodes in different zones (RFC 4007). Therefore, when specifying a link-local address, include zone-id information indicating the VLAN identifier after the % delimiter. For example, FE80::7272%1 identifies VLAN 1 as the interface from which the ping is sent.
Chapter 31 | IP Interface Commands IPv6 Interface Default Setting Maximum failures: 5 Command Mode Privileged Exec Command Usage ◆ Use the traceroute6 command to determine the path taken to reach a specified destination. ◆ The same link-local address may be used by different interfaces/nodes in different zones (RFC 4007). Therefore, when specifying a link-local address, include zone-id information indicating the VLAN identifier after the % delimiter.
Chapter 31 | IP Interface Commands IPv6 Interface Neighbor Discovery ipv6 hop-limit This command configures the maximum number of hops used in router advertisements that are originated by this router. Use the no form to restore the default setting. Syntax ipv6 hop-limit hops no ipv6 hop-limit hops - The maximum number of hops in router advertisements and all IPv6 packets.
Chapter 31 | IP Interface Commands IPv6 Interface Default Setting None Command Mode Global Configuration Command Usage ◆ Address Resolution Protocol (ARP) has been replaced in IPv6 with the Neighbor Discovery Protocol (NDP). The ipv6 neighbor command is similar to the macaddress-table static command (page 502) that is implemented using ARP. ◆ Static entries can only be configured on an IPv6-enabled interface.
Chapter 31 | IP Interface Commands IPv6 Interface ipv6 nd dad attempts This command configures the number of consecutive neighbor solicitation messages sent on an interface during duplicate address detection. Use the no form to restore the default setting. Syntax ipv6 nd dad attempts count no ipv6 nd dad attempts count - The number of neighbor solicitation messages sent to determine whether or not a duplicate address exists on this interface.
Chapter 31 | IP Interface Commands IPv6 Interface Example The following configures five neighbor solicitation attempts for addresses configured on VLAN 1. The show ipv6 interface command indicates that the duplicate address detection process is still on-going. Console(config)#interface vlan 1 Console(config-if)#ipv6 nd dad attempts 5 Console(config-if)#end Console#show ipv6 interface VLAN 1 is up IPv6 is enabled.
Chapter 31 | IP Interface Commands IPv6 Interface Command Usage Hosts obtain addresses through either stateful or stateless autoconfiguration. When the flag is set, they will use stateful autoconfiguration. When the flag is unset (using the no form of the command), attached hosts will use stateless autoconfiguration. Example The following example enabled the setting of the managed address configuration flag in IPv6 router advertisements.
Chapter 31 | IP Interface Commands IPv6 Interface Console(config)#interface vlan 1 Console(config)#ipv6 nd ns-interval 30000 Console(config)#end Console#show ipv6 interface VLAN 1 is up IPv6 is enabled.
Chapter 31 | IP Interface Commands IPv6 Interface ipv6 nd prefix Use this command to configure the IPv6 prefixes to include in the router advertisements. Use the no form of the command with the prefix to remove it from the IPv6 router advertisements. Syntax ipv6 nd prefix ipv6-prefix {default | valid-lifetime preferred-lifetime} no ipv6 nd prefix ipv6-prefix ipv6-prefix - IPv6 prefix/length in bits (48 bits maximum).
Chapter 31 | IP Interface Commands IPv6 Interface Example Console(config-if)#ipv6 nd ra interval 500 Console(config-if)# ipv6 nd ra lifetime This command configures the lifetime of IPv6 router advertisements on the specified VLAN. The no form of the command will set the RA lifetime to the default.
Chapter 31 | IP Interface Commands IPv6 Interface Default Setting No default routing preference is sent in router advertisements. Command Mode Interface Configuration (VLAN) Command Usage ◆ When hosts make router selections, the setting can be used by the hosts to select a preferred router when multiple routers can provide the same prefix routing destinations. ◆ The preference set with this command is transmitted in unused portion of the IPv6 routing advertisements.
Chapter 31 | IP Interface Commands IPv6 Interface Command Mode Interface Configuration (Ethernet, Port Channel) Command Usage ◆ IPv6 Router Advertisements (RA) convey information that enables nodes to auto-configure on the network. This information may include the default router address taken from the observed source address of the RA message, as well as on-link prefix information.
Chapter 31 | IP Interface Commands IPv6 Interface ◆ This time limit is included in all router advertisements sent out through an interface, ensuring that nodes on the same link use the same time value. ◆ Setting the time limit to 0 means that the configured time is unspecified by this router.
Chapter 31 | IP Interface Commands IPv6 Interface Eth 1/ 1 Console# Yes show ipv6 neighbors This command displays information in the IPv6 neighbor discovery cache. Syntax show ipv6 neighbors [vlan vlan-id | ipv6-address] vlan-id - VLAN ID (Range: 1-4094) ipv6-address - The IPv6 address of a neighbor device. You can specify either a link-local or global unicast address formatted according to RFC 2373 “IPv6 Addressing Architecture,” using 8 colon-separated 16-bit hexadecimal values.
Chapter 31 | IP Interface Commands ND Snooping Table 182: show ipv6 neighbors - display description (Continued) Field Description State The following states are used for dynamic entries: I1 (Incomplete) - Address resolution is being carried out on the entry. A neighbor solicitation message has been sent to the multicast address of the target, but it has not yet returned a neighbor advertisement message. I2 (Invalid) - An invalidated mapping.
Chapter 31 | IP Interface Commands ND Snooping packet to the target host. If it receives an NA packet in response, it knows that the target still exists and updates the lifetime of the binding; otherwise, it deletes the binding. This section describes commands used to configure ND Snooping.
Chapter 31 | IP Interface Commands ND Snooping Command Mode Global Configuration Command Usage ◆ Use this command without any keywords to enable ND snooping globally on the switch. Use the VLAN keyword to enable ND snooping on a specific VLAN or a range of VLANs. ◆ ◆ Once ND snooping is enabled both globally and on the required VLANs, the switch will start monitoring RA messages to build an address prefix table as described below: ■ If an RA message is received on an untrusted interface, it is dropped.
Chapter 31 | IP Interface Commands ND Snooping Example This example enables ND snooping globally and on VLAN 1. Console(config)#ipv6 nd snooping Console(config)#ipv6 nd snooping vlan 1 Console(config)# ipv6 nd snooping This command enables automatic validation of dynamic user binding table entries auto-detect by periodically sending NS messages and awaiting NA replies. Use the no form to disable this feature.
Chapter 31 | IP Interface Commands ND Snooping Command Mode Global Configuration Command Usage The timeout after which the switch will delete a dynamic user binding if no RA message is received is set to the retransmit count x the retransmit interval (see the ipv6 nd snooping auto-detect retransmit interval command). Based on the default settings, this is 3 seconds.
Chapter 31 | IP Interface Commands ND Snooping ipv6 nd snooping This command sets the time to wait for an RA message before deleting an entry in prefix timeout the prefix table. Use the no form to restore the default setting. Syntax ipv6 nd snooping prefix timeout timeout no ipv6 nd snooping prefix timeout timeout – The time to wait for an RA message to confirm that a prefix entry is still valid.
Chapter 31 | IP Interface Commands ND Snooping Example Console(config)#ipv6 nd snooping max-binding 2 Console(config)# ipv6 nd snooping trust This command configures a port as a trusted interface from which prefix information in RA messages can be added to the prefix table, or NS messages can be forwarded without validation. Use the no form to restore the default setting.
Chapter 31 | IP Interface Commands ND Snooping Example Console#clear ipv6 nd snooping binding Console# clear ipv6 nd This command clears all entries in the address prefix table. snooping prefix Syntax clear ipv6 nd snooping prefix [interface vlan vlan-id] vlan-id - VLAN ID. (Range: 1-4094) Command Mode Privileged Exec Example Console#clear ipv6 nd snooping prefix Console# show ipv6 nd This command shows the configuration settings for ND snooping.
Chapter 31 | IP Interface Commands ND Snooping Syntax show ipv6 nd snooping binding Command Mode Privileged Exec Example Console#show ipv6 nd snooping binding MAC Address IPv6 Address Lifetime VLAN Interface -------------- -------------------------------------- ---------- ---- --------0013-49aa-3926 2001:b001::211:95ff:fe84:cb9e 100 1 Eth 1/1 0012-cf01-0203 2001::1 3400 2 Eth 1/2 Console# show ipv6 nd This command shows all entries in the address prefix table.
30 IP Routing Commands After network interfaces are configured for the switch, the paths used to send traffic between different interfaces must be set. If routing is enabled on the switch, traffic will automatically be forwarded between all of the local subnetworks.
Chapter 30 | IP Routing Commands Global Routing Configuration IPv4 Commands ip route This command configures static routes. Use the no form to remove static routes. Syntax ip route destination-ip netmask next-hop [distance] no ip route {destination-ip netmask [next-hop] | *} destination-ip – IP address of the destination network, subnetwork, or host. netmask - Network mask for the associated IP subnet. This mask identifies the host address bits used for routing to specific subnets.
Chapter 30 | IP Routing Commands Global Routing Configuration show ip route This command displays information in the Forwarding Information Base (FIB). Syntax show ip route [connected | database | static | summary] connected – Displays all currently connected entries. database – All known routes, including inactive routes. (see show ip route database) static – Displays all static entries.
Chapter 30 | IP Routing Commands Global Routing Configuration C 192.168.2.0/24 is directly connected, VLAN1 Console# show ip route This command displays entries in the Routing Information Base (RIB). database Command Mode Privileged Exec Command Usage The RIB contains all available routes learned through directly attached networks, and any additionally configured routes such as static routes.
Chapter 30 | IP Routing Commands Global Routing Configuration IPv6 Commands ipv6 route This command configures static IPv6 routes. Use the no form to remove static routes. Syntax [no] ipv6 route destination-ipv6-address/prefix-length {gateway-address [distance] | link-local-address%zone-id [distance]} destination-ipv6-address – The IPv6 address of a destination network, subnetwork, or host. This must be a full IPv6 address including the network prefix and host address bits.
Chapter 30 | IP Routing Commands Global Routing Configuration Example This example forwards all traffic for subnet 2001::/64 to the next hop router 2001:DB8:2222:7272::254, using the default metric of 1. Console(config)#ipv6 route 2001::/64 2001:DB8:2222:7272::254 Console(config)# Related Commands show ip route summary (950) show ipv6 route This command displays information in the Forwarding Information Base (FIB).
Chapter 30 | IP Routing Commands Global Routing Configuration within a forwarding information base entry are a network prefix, a router port identifier, and next hop information. ◆ This command only displays routes which are currently accessible for forwarding. The router must be able to directly reach the next hop, so the VLAN interface associated with any dynamic or static route entry must be up.
Chapter 30 | IP Routing Commands Global Routing Configuration – 954 –
Section III Appendices This section provides additional information and includes these items: ◆ “Troubleshooting” on page 957 ◆ “License Information” on page 959 – 955 –
Section III | Appendices – 956 –
A Troubleshooting Problems Accessing the Management Interface Table 205: Troubleshooting Chart Symptom Action Cannot connect using Telnet, or SNMP software ◆ ◆ ◆ ◆ ◆ ◆ ◆ Cannot connect using Secure Shell ◆ ◆ ◆ ◆ ◆ Be sure the switch is powered up. Check network cabling between the management station and the switch. Make sure the ends are properly connected and there is no damage to the cable. Test the cable if necessary.
Appendix A | Troubleshooting Using System Logs Using System Logs If a fault does occur, refer to the Installation Guide to ensure that the problem you encountered is actually caused by the switch. If the problem appears to be caused by the switch, follow these steps: 1. Enable logging. 2. Set the error messages reported to include all categories. 3. Enable SNMP. 4. Enable SNMP traps. 5. Designate the SNMP host that is to receive the error messages. 6.
B License Information This product includes copyrighted third-party software subject to the terms of the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other related free software licenses. The GPL code used in this product is distributed WITHOUT ANY WARRANTY and is subject to the copyrights of one or more authors. For details, refer to the section "The GNU General Public License" below, or refer to the applicable license as included in the source-code archive.
Appendix B | License Information The GNU General Public License GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 1. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License.
Appendix B | License Information The GNU General Public License b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute c
Appendix B | License Information The GNU General Public License 9. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded.
Glossary ACL Access Control List. ACLs can limit network traffic and restrict access to certain users or devices by checking each packet for certain IP or MAC (i.e., Layer 2) information. ARP Address Resolution Protocol converts between IP addresses and MAC (hardware) addresses. ARP is used to locate the MAC address corresponding to a given IP address. This allows the switch to use IP addresses for routing decisions and the corresponding MAC addresses to forward packets from one hop to the next.
Glossary DNS Domain Name Service. A system used for translating host names for network nodes into IP addresses. DSCP Differentiated Services Code Point Service. DSCP uses a six-bit tag to provide for up to 64 different forwarding behaviors. Based on network policies, different kinds of traffic can be marked for different kinds of forwarding. The DSCP bits are mapped to the Class of Service categories, and then into the output queues. EAPOL Extensible Authentication Protocol over LAN.
Glossary IEEE 802.1D Specifies a general method for the operation of MAC bridges, including the Spanning Tree Protocol. IEEE 802.1Q VLAN Tagging—Defines Ethernet frame tags which carry VLAN information. It allows switches to assign endstations to different virtual LANs, and defines a standard way for VLANs to communicate across switched networks. IEEE 802.1p An IEEE standard for providing quality of service (QoS) in Ethernet networks.
Glossary IGMP Snooping Listening to IGMP Query and IGMP Report packets transferred between IP Multicast Routers and IP Multicast host groups to identify IP Multicast group members. In-Band Management Management of the network from a station attached directly to the network. IP Multicast Filtering A process whereby this switch can pass multicast traffic along to participating hosts.
Glossary MSTP Multiple Spanning Tree Protocol can provide an independent spanning tree for different VLANs. It simplifies network management, provides for even faster convergence than RSTP by limiting the size of each region, and prevents VLAN members from being segmented from the rest of the group.
Glossary QoS Quality of Service. QoS refers to the capability of a network to provide better service to selected traffic flows using features such as data prioritization, queuing, congestion avoidance and traffic shaping. These features effectively provide preferential treatment to specific flows either by raising the priority of one flow or limiting the priority of another flow. RADIUS Remote Authentication Dial-in User Service.
Glossary TCP/IP Transmission Control Protocol/Internet Protocol. Protocol suite that includes TCP as the primary transport protocol, and IP as the network layer protocol. Telnet Defines a remote communication facility for interfacing to a terminal device over TCP/IP. TFTP Trivial File Transfer Protocol. A TCP/IP protocol commonly used for software downloads. UDP User Datagram Protocol. UDP provides a datagram mode for packet-switched communications.
Glossary – 970 –
CLI Commands aaa accounting commands 249 aaa accounting dot1x 246 aaa accounting exec 247 aaa accounting update 248 aaa authorization commands 251 aaa authorization exec 250 aaa group server 252 absolute 178 access-list arp 399 access-list ip 382 access-list ipv6 388 access-list mac 394 accounting commands 253 accounting commands 254 accounting dot1x 253 arp 901 arp timeout 903 authentication enable 234 authentication login 235 authorization commands 256 authorization exec 255 auto-traffic-control 477 auto
CLI Commands cluster ip-pool 185 cluster member 185 configure 96 control-vlan 554 copy 128 databits 140 default-router 879 delete 131 delete public-key 270 description 649 description 411 dir 132 disable 96 discard 411 disconnect 148 dns-server 879 domain-name 880 dos-protection land 373 dos-protection tcp-null-scan 374 dos-protection tcp-syn-fin-scan 374 dos-protection tcp-xmas-scan 375 dot1q-tunnel system-tunnel-control 597 dot1q-tunnel tpid 597 dot1x default 275 dot1x eapol-pass-through 275 dot1x intrus
CLI Commands ip dhcp relay information option 871 ip dhcp relay information policy 874 ip dhcp relay server 870 ip dhcp restart client 867 ip dhcp snooping 325 ip dhcp snooping max-number 336 ip dhcp snooping database flash 339 ip dhcp snooping information option 327 ip dhcp snooping information option circuit-id 334 ip dhcp snooping information option encode no-subtype 328 ip dhcp snooping information option remote-id 329 ip dhcp snooping information option tr101 board-id 330 ip dhcp snooping limit rate 3
CLI Commands ipv6 mld snooping router-port-expire-time 708 ipv6 mld snooping unknown-multicast mode 709 ipv6 mld snooping unsolicited-report-interval 710 ipv6 mld snooping version 710 ipv6 mld snooping vlan immediate-leave 711 ipv6 mld snooping vlan mrouter 711 ipv6 mld snooping vlan static 712 ipv6 mtu 915 ipv6 multicast-data-drop 723 ipv6 nd dad attempts 928 ipv6 nd managed-config-flag 929 ipv6 nd ns-interval 930 ipv6 nd other-config-flag 931 ipv6 nd prefix 932 ipv6 nd ra interval 932 ipv6 nd ra lifetime
CLI Commands mep crosscheck mpid 828 mep fault-notify alarm-time 836 mep fault-notify lowest-priority 837 mep fault-notify reset-time 839 mep-monitor 559 mst priority 524 mst vlan 525 mvr 728 mvr associated-profile 728 mvr domain 729 mvr immediate-leave 736 mvr priority 729 mvr profile 730 mvr proxy-query-interval 731 mvr proxy-switching 731 mvr robustness-value 733 mvr source-port-mode dynamic 733 mvr type 737 mvr upstream-source-ip 734 mvr vlan 735 mvr vlan group 738 mvr6 associated-profile 751 mvr6 doma
CLI Commands queue mode 628 queue weight 629 quit 94 radius-server acct-port 236 radius-server auth-port 237 radius-server encrypted-key 239 radius-server host 237 radius-server key 239 radius-server retransmit 240 radius-server timeout 240 range 694 range 720 raps-def-mac 566 raps-without-vc 566 rate-limit 470 rcommand 186 reload (Global Configuration) 92 reload (Privileged Exec) 97 rename 651 revision 526 ring-port 551 rmon alarm 216 rmon collection history 218 rmon collection rmon1 219 rmon event 217 rp
CLI Commands show ip igmp authentication 699 show ip igmp filter 700 show ip igmp igmp-with-pppoe 701 show ip igmp profile 701 show ip igmp query-drop 702 show ip igmp snooping 684 show ip igmp snooping group 685 show ip igmp snooping mrouter 686 show ip igmp snooping statistics 687 show ip igmp throttle interface 702 show ip interface 897 show ip multicast-data-drop 703 show ip route 949 show ip route database 950 show ip route summary 950 show ip source-guard 356 show ip source-guard binding 357 show ip
CLI Commands show queue weight 631 show radius-server 241 show reload 97 show rmon alarms 220 show rmon events 220 show rmon history 221 show rmon statistics 221 show rspan 467 show running-config 117 show sflow 227 show smart-pair 511 show snmp 193 show snmp engine-id 205 show snmp group 205 show snmp notify-filter 211 show snmp user 207 show snmp view 207 show snmp-server enable port-traps 199 show sntp 165 show spanning-tree 541 show spanning-tree mst configuration 543 show ssh 273 show startup-config 1
CLI Commands speed-duplex 416 stopbits 146 subnet-vlan 615 switchport acceptable-frame-types 589 switchport allowed vlan 590 switchport block 417 switchport dot1q-tunnel mode 599 switchport dot1q-tunnel priority map 600 switchport dot1q-tunnel service default match all 603 switchport dot1q-tunnel service match cvid 600 switchport forbidden vlan 582 switchport gvrp 582 switchport ingress-filtering 591 switchport l2protocol-tunnel 607 switchport mode 592 switchport mtu 418 switchport native vlan 593 switchpo
CLI Commands – 980 –
E102019-CS-R04
